Azure Activity Logs for Management Group and Subscription creation/deletion do not match the expected schema

shrinjay mukherjee 0 Reputation points
2024-09-30T19:01:21.66+00:00

I have a diagnostic setting set up for my root management group:

    {
      "id": "providers/Microsoft.Management/managementGroups/MY-ROOT-MANAGEMENT-GROUP-ID/providers/microsoft.insights/diagnosticSettings/ManagementSetting",
      "type": "Microsoft.Insights/diagnosticSettings",
      "name": "ManagementSetting",
      "location": "global",
      "properties": {
        "eventHubAuthorizationRuleId": "/subscriptions/XXXXXX/resourceGroups/XXXXXX/providers/Microsoft.EventHub/namespaces/XXXXXX/authorizationrules/eventHubAuthzRule",
        "eventHubName": "XXXXXX",
        "logs": [
          {
            "category": "Administrative",
            "enabled": true,
            "categoryGroup": null
          },
          {
            "category": "Policy",
            "enabled": false,
            "categoryGroup": null
          }
        ]
      }
    },

and using this, I'm able to get activity log events for resource group creation/deletion etc. However, I have two exceptions:

  • Creating a Management Group
  • Creating a Subscription

In these two cases, I get a very different log format in my event hub. For example if I create a subscription:

{      
	"tenantId": "XXXXXX",      
	"correlationId": "32ea4f85-0ad1-40c3-aef5-93b746135f7c",      
	"time": "2024-09-30T17:24:16.3227927Z",      
	"resourceId": "/subscriptions/ec1c689a-ccdd-49f3-8d1c-9a573317e46a",      
	"category": "Administrative",      
	"operationName": "Microsoft.Management",      
	"resultType": "Succeeded",      
	"properties": {        
		"entity": "ec1c689a-ccdd-49f3-8d1c-9a573317e46a",        
		"message": "Entity ec1c689a-ccdd-49f3-8d1c-9a573317e46a is created with parent entity EventsManagementGroup",        
		"hierarchy": "XXXXXX/EventsManagementGroup/XXXXXX"      
	}    
},

Notice how the operationName is Microsoft.Management .

What is interesting is if I open my Activity Log and select the parent management group in the management group dropdown, I get this specific format of log. However, if I select the subscription (ec1c689a-ccdd-49f3-8d1c-9a573317e46a), I can see the expected log format:


{
    "authorization": {},
    "caller": "tester@XXXXX.com",
    "channels": "Operation",
    "claims": {
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn": "tester@test.com"
    },
    "correlationId": "\"CorrelationId\":\"a6003b48-68ea-4036-8f83-6ba533c6de04\"",
    "description": "",
    "eventDataId": "346b234d-ee23-896e-5c31-5ddd51d96c8e",
    "eventName": {
        "value": "",
        "localizedValue": ""
    },
    "category": {
        "value": "Security",
        "localizedValue": "Security"
    },
    "eventTimestamp": "2024-09-30T17:23:49.916568Z",
    "id": "/SUBSCRIPTIONS/EC1C689A-CCDD-49F3-8D1C-9A573317E46A/events/346b234d-ee23-896e-5c31-5ddd51d96c8e/ticks/638633138299165680",
    "level": "Informational",
    "operationId": "",
    "operationName": {
        "value": "Microsoft.Subscription/Subscriptions/write",
        "localizedValue": "Create subscription"
    },
    "resourceGroupName": "",
    "resourceProviderName": {
        "value": "",
        "localizedValue": ""
    },
    "resourceType": {
        "value": "",
        "localizedValue": ""
    },
    "resourceId": "/SUBSCRIPTIONS/EC1C689A-CCDD-49F3-8D1C-9A573317E46A",
    "status": {
        "value": "Succeeded",
        "localizedValue": "Succeeded"
    },
    "subStatus": {
        "value": "",
        "localizedValue": ""
    },
    "submissionTimestamp": "2024-09-30T17:23:49.916568Z",
    "subscriptionId": "EC1C689A-CCDD-49F3-8D1C-9A573317E46A",
    "tenantId": "",
    "relatedEvents": []
}

You can see this has the correct operationName, Microsoft.Subscription/Subscriptions/write, and the expected data. I just don't understand why I can never see the second log format in my event hub, only the first. They are both Azure Activity Logs from the Administrative category. Any insight would be appreciated.

Azure Event Hubs
Azure Event Hubs
An Azure real-time data ingestion service.
638 questions
{count} votes

1 answer

Sort by: Most helpful
  1. phemanth 10,405 Reputation points Microsoft Vendor
    2024-10-01T02:25:54.0333333+00:00

    @shrinjay mukherjee

    Thanks for reaching out to Microsoft Q&A

    You have a diagnostic setting set up for your root management group to collect activity log events, including those for resource group creation/deletion, management group creation, and subscription creation/deletion.

    However, you're observing two different log formats for management group creation and subscription creation events. The first format has an operationName of "Microsoft.Management", while the second format has the expected operationName with the correct resource provider and operation (e.g., "Microsoft.Subscription/Subscriptions/write").:

    In the provided JSON logs, noticed the following differences:

    1. OperationName: The first log format has an operationName of "Microsoft.Management", which is not specific to a particular resource provider. In contrast, the second log format has an operationName that includes the resource provider and operation (e.g., "Microsoft.Subscription/Subscriptions/write").
    2. ResourceId: The first log format has a resourceId that points to the subscription, while the second log format has a resourceId that includes the subscription ID and the event ID.
    3. Properties: The first log format has a properties section with an entity field, while the second log format has a more detailed properties section with fields like caller, claims, and description.

    It's possible that the Azure Activity Log system is using different log formats for management group and subscription creation events, which are not specific to a particular resource provider. These events might be generated by the Azure management plane, which is responsible for managing Azure resources at a higher level.

    When you select the parent management group in the management group dropdown, you're seeing the log format generated by the management plane. However, when you select the subscription, you're seeing the log format generated by the Azure resource provider (in this case, Microsoft.Subscription).

    To confirm this

    Check the Azure Activity Log documentation to see if there are any specific log formats mentioned for management group and subscription creation events.https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema

    Verify that your diagnostic setting is correctly configured to collect activity log events for both management group and subscription creation events.

    If you're using Azure Monitor or another log analytics tool, check if there are any filtering or processing rules that might be affecting the log format.

    Hope this helps. Do let us know if you any further queries.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.