Share via

Azure FileShare Auditing

Bala Smart 51 Reputation points
2022-01-12T14:26:49.613+00:00

Hi team,
Is there any API for getting file level auditing on Azure File Share like who accessed/deleted/modifiled file on specific time like windows file server auditing?
I know azure provides metrics, But we need file level auditing support. If there is any API available, Let me know

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,422 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 47,471 Reputation points Microsoft Employee Moderator
    2022-01-12T15:51:27.643+00:00

    @Bala Smart Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    This topic lists the storage service operations and status messages that are recorded by Storage Analytics.

    There is similar thread discussion in Q&A Forum: please refer to the suggestion here

    If you are using is Kerberos authentication (AD DS or AAD DS) to access the Azure file share, the user SID will be logged.

    Below is an example of what’s logged if you’re using AD DS authentication to access the Azure file share:

    { "time": "2022-01-21T16:39:42.8712810Z", "resourceId": "/subscriptions/SubID_Removed/resourceGroups/afs/providers/Microsoft.Storage/storageAccounts/saname/fileServices/default", "category": "StorageWrite", "operationName": "Close", "operationVersion": "3.0", "schemaVersion": "1.0", "statusCode": 0, "durationMs": 3, "callerIpAddress": "10.0.0.1", "correlationId": "d62bfd52-901d-0077-007d-5fa62a000000", "identity": {"type":"Kerberos","requester":{"smbPrimarySID":"S-1-5-21-9928259027-5310468894-1309476588-2110"}}, "location": "West US", "properties": {"accountName":"saname","etag":"0x8d82d949dbb5ace","serviceType":"file","lastModifiedTime":"2022/01/21 16:39:19.7636302","serverLatencyMs":3,"operationCount":0,"requestHeaderSize":64,"requestBodySize":24,"responseHeaderSize":64,"responseBodySize":112,"smbSessionId":9759353286913163325,"smbTreeConnectID":5,
    "smbPersistentHandleID":7979073622,"smbVolatileHandleID":18446744069415632993,"smbCreditsConsumed":1,"smbMessageID":557,"smbCommandMajor":6,"smbCommandMinor":"FileCloseAndDelete","smbCommandDetail":"Detail=Client","smbFileId":13835093239654252544}, "uri": "\\saname.file.core.windows.net\westus\Azure Files\Azure Files Overview.pptx", "protocol": "SMB", "resourceType": "Microsoft.Storage/storageAccounts/fileServices"}

    Since we log the SID, the customer to use the Get-ADUser PowerShell cmdlet to map the SID to a username. We do have an improvement planned to also log the username.

    Please let us know if you have any further queries. I’m happy to assist you further.

    ----------

    Please do not forget to 164327-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.