Audit Logs for Azure Events

Note: This post is cross-post with http://blogs.msdn.com/b/cloud_solution_architect.

A common ask when working with Microsoft Azure is, “how can I view audit logs to determine who made changes to the subscription(s) and the related Azure resources?” With the new Audit Logs feature now available in the Azure Preview Portal (https://portal.azure.com), keeping track of changes becomes easier than ever.

Before getting started, I would like to point out that Dushyant Gill has an excellent post in which he provides one way to answer three very important questions:

  1. Who all has access to my subscriptions?
  2. What access does a specific user have on my subscription?
  3. Who gained (or lost) access to my subscriptions in the past n days?

In Dushyant’s post, he describes a PowerShell module he wrote that makes it easy to generate reports which answer the above questions.

In this post, I will describe one approach for working with the new Azure Audit Logs to determine what changed, and also how to view logs related to the addition or removal of co-administrators. Along with the PowerShell module described in Dushyant’s post, this should allow much more insights into the actions taken against an Azure subscription.

What Changed?

By opening the new Audit Logs blade in the Azure Preview Portal, you can view many of the events that occurred against the subscription.

Audit Logs - Single

The Audit Logs blade will show five key pieces of information for the list of operations:

  1. Operation name
  2. Level: Critical, Error, Warning, or Informational
  3. Status: Succeeded or Failed
  4. Resource
  5. Time

Note 1: Use the Filter action at the top of the Audit Logs blade to modify the operations displayed.

Note 2: Audit logs are available for only the Azure resources available in the Azure Preview Portal and/or the Azure Resource Manager API.

 

Clicking on a specific operation will open additional blades to view more detailed information.

Full Audit Logs

The Detail blade will allow you to view key pieces of information such as who made the change, when the change was made, what was the Azure resource and resource group affected, etc.

Audit Logs - Detail Blade

If the change is related to a role assignment (i.e. adding a user to one of the new Role Based Access Control (RBAC) related roles – Virtual Machine Contributor, Website Contributor, etc.), the Detail blade will show additional information to show the user that was added to the role. At the time of this writing, however, the user and role is displayed as a GUID and not the corresponding friendly name (e.g. email address or role name). It is anticipated this will be cleaned up in a feature update to the Azure Preview Portal. In the meantime, you can leverage a few Azure PowerShell cmdlets to piece together the relevant information.

In the Details blade, have a look at the PROPERTIES value. There are two key pieces of information here: the PrincipalId and the RoleDefinitionId.

Audit Logs - Add User to RBAC Role

For the cmdlets below, you will need to switch to the Azure Resource Manager mode in Azure Powershell by executing the command below.  Azure PowerShell version 0.8.15 is used in this post, although the cmdlets below first appeared in version 0.8.14.

Switch-AzureMode AzureResourceManager

 

To determine the role to which the user was assigned, use the Get-AzureRoleDefintion cmdlet. This cmdlet returns all the role definitions, so you will need to search for the specific definition (the GUID after “roleDefinition”) as indicated the PROPERTIES in the Detail blade.

Get-AzureRoleDefinition | where { ($_.Id -like "*de139f84-1756-47ae-9be6-808fbbe84772" )}

Get-AzureRoleDefinition

To get the user added to the role, use the Get-AzureAdUser cmdlet. For the -ObjectId parameter, use the PrincipalId value from the PROPERTIES in the Detail blade.

Get-AzureADUser -ObjectId b458cfbc-a101-45c1-9575-1ec43aefcc45

Get-AzureAdUser

What about Co-Administrators and Management Certificates?

When it comes to permissions in Azure, there are three approaches that can be used: the co-administrator model, management certificates, and Role Based Access Control (RBAC). The co-administrator model has been the security model in working with Azure for quite some time. People that wanted to work with Azure (assuming they were not the subscription owner) could be granted access to the Azure subscription as a co-administrator. As a co-administrator, they could take any action they desired against any Azure service.  If non-interactive administrative access was needed, a management certificate could be added to the target subscription(s).

Going back to the earlier topic of what change was made and by whom – how can we tell when a co-administrator or management certificate was added to the subscription?

For management certificates, you can use the List Subscription Operations service management API call. There is an Operation Name parameter in the response that should include AddSubscriptionCertificate and RemoveSubscriptionCertificate for the respective action.

AddSubscriptionCertificate

An astute observer of the MSDN documentation for List Subscription Operations will notice there is no corresponding operation for co-administrators. To obtain information about co-administrators being added or removed from a subscription, we can leverage the new audit logs available in the Azure Preview Portal and Azure Resource Manager API. Co-administrators in the Azure Management Portal actually correspond to the Owner role available in the Azure Preview Portal (and thus Azure Resource Manager). Adding or removing a co-administrator via the Azure Management Portal creates an event with Azure Resource Manager that is then logged. However, as of the time of this writing, the addition or removal of co-administrators is not yet reported in the Azure Preview Portal’s Audit Logs.

To get the audit logs related to the addition or remove of co-administrators, you can use the Get-AzureResourceProviderLog PowerShell cmdlet. This cmdlet retrieves the operations associated for a specific Resource Provider – in this case we would want operations against the Microsoft.Authoriztion provider. For example, to view the logs for a certain date range, you could execute a command similar to the following:

Get-AzureResourceProviderLog -ResourceProvider "Microsoft.Authorization" -StartTime "2015-03-10" -EndTime "2015-03-11" -DetailedOutput

A screenshot of the output is below. In the screenshot you’ll notice you can see the adminEmail and adminType for the user added via the Azure Management Portal.

Get-AzureResourceProviderLog - Add CoAdmins

Alternatively, you could get all the authorization events starting from a specific date up until the current time:

Get-AzureResourceProviderLog -ResourceProvider "Microsoft.Authorization" -StartTime "2015-03-11" -DetailedOutput

Get-AzureResourceProviderLog - Remove CoAdmins

It should be noted that there currently does seem to be at least two known bugs related to the shown information:

  1. If the removed co-admin is an Azure AD user (as opposed to a Microsoft Account), the adminEmail is empty
  2. The Caller value is not populating

 

But Wait! There’s More!!

The Get-AzureResourceProviderLog cmdlet shown above is just one of the new audit log cmdlets now available. It is easy to view the additional cmdlets by executing the following command:

get-help get-*Azure*log*
Name Description
Get-AzureSubscriptionIdLog Gets the operations associated with the current subscriptionId
Get-AzureResourceProviderLog Gets the operations associated with a Resource Provider
Get-AzureResourceLog Gets the operations associated with a ResourceId
Get-AzureResourceGroupLog Gets the deployment log for a resource group
Get-AzureCorrelationIdLog Gets the operations associated with a CorrelationId.

 

Summary

The new Audit Logs feature in the Azure Preview Portal, combined with new Azure PowerShell cmdlets, make it easier than ever to have insights into the changes made to an Azure subscription. Together, with the module described in Dushyant Gill’s post, many of the administrative actions taken against an Azure subscription and related resources are now easily viewable.

Please be sure to be using at least version 0.8.14 (that’s when the cmdlets mentioned in this post first appeared) of the Azure PowerShell cmdlets, and switch to use the AzureResourceManager mode for the cmdlets as well.

Posted in Microsoft Azure, PowerShell, Windows Azure

New Book – Microsoft Azure Essentials

In early February, Microsoft Press released a free new eBook entitled Fundamentals of Azure: Microsoft Azure Essentials. This is a book I, along with Azure MVP Robin Shahan spent several months on in late 2014. To see if finally be published is truly exciting!Book Cover

The goal of the book is to serve as primer for those new to cloud computing in general, and the Microsoft Azure platform specifically. We do not go too deep on the topics, and we don’t cover all the services available in Azure. We cover the core concepts people need to get started and be successful.

Writing a book is hard work – much harder than I originally anticipated. I had friends tell me it would be a lot of work – they were right! Writing a book on Azure adds to the challenge, I think. The reason is Azure is a constantly evolving platform. It’s hard to write a book on something that changes several times a month. We tried to keep up with the changes as best we could. But, inevitably some things will be inaccurate by the time to book is published or shortly thereafter.

Writing a book is also fun! While many nights and weekends were sacrificed to write this book, it was a very rewarding experience. I know I learned a lot while writing this book. I had many late night Skype calls with Robin to talk through how we wanted topics to flow. I had many great email conversations with the Azure MVPs that helped to provide early feedback on the book. A lot of work, but fun – and that’s the best kind of work!

You can find the book at http://aka.ms/fundamentalsofazure and get it in PDF, EPUB, or Mobi formats.

Topics covered in the book include.

  • Getting started with Azure: Understand what cloud computing is, visit the management
    portals, and learn about billing.
  • Websites and Cloud Services: Learn about Azure Websites, from deployment to monitoring, and gain an understanding of the web and worker roles used in Azure Cloud Services.
  • Virtual Machines: Explore the basic features of Azure Virtual Machines, including how to create, configure, and manage them.
  • Storage: Read about the basics of Azure Storage, including blobs, tables, queues, and file shares.
  • Virtual Networks: Learn the basics of virtual networks, including how to create one, and why a virtual network might be necessary. This also covers site-to-site and point-to-site networking, as well as ExpressRoute.
  • Databases: Explore two relational database options available in Azure: Azure SQL Database and SQL Server in Azure Virtual Machines.
  • Azure Active Directory: Explore basic features of Azure AD, including creating a directory, users and groups, and using the application gallery.
  • Management Tools: Explore three common tools for working with Azure: Visual Studio 2013 and the Azure SDK, Azure PowerShell cmdlets, and the Cross-Platform Command-Line Interface
  • Business Scenarios: Explore four common scenarios for utilizing Azure features: development and test, hybrid, application and infrastructure modernization, and Azure Mobile Services.
Tagged with:
Posted in Windows Azure

Determine the RDP User for Web/Worker Role

Note: This post is cross-post with http://blogs.msdn.com/b/cloud_solution_architect.

It is widely known that it is possible to add Remote Desktop (RDP) to a Cloud Service (web/worker role). Adding RDP is often done as a support mechanism – enabling the desire to see what is happening with the virtual machine and how the deployed code is working, or not.

Options to Enable Remote Desktop

There are two ways to add Remote Desktop support to a Cloud Service deployment:

1. Using Visual Studio, Remote Desktop can be added when the service is deployed by clicking the “Enable Remote Desktop for all roles” option in the publishing wizard. This approach will add two modules, RemoteAccess and RemoteForwarder, into the service model. You can read more on MSDN about setting up the connection in the service model.

 VisualStudioPublishWizard

2. Using the Azure Management Portal, for the desired Cloud Service, first navigate to the CONFIGURE section and then select the REMOTE option in the bottom command bar. You can read more about this approach at http://azure.microsoft.com/en-us/documentation/articles/cloud-services-how-to-configure/#remoteaccess.

 AzureManagementPortal-EnableRDP

Determine the Username

There are scenarios in which Remote Desktop is disabled when the Cloud Service is deployed, and only enabled in the event of a support incident when it is deemed RDP is the best support option. In this case, a co-administrator can enable RDP via the Azure Management Portal (as mentioned previously).  When first enabling RDP you set the username and password for the local machine account to be created on the role instance.  But what about after RDP is enabled – how do you know the local username that was created?  Is this information logged?

Enabling Remote Desktop in a Cloud Service is done via an extension. To learn more about extensions with Cloud Services and using them to enable Remote Desktop, I would encourage you to read Azure MVP Gaurav Mantri’s excellent blog post on the topic. Gaurav’s post shows how to add the Remote Desktop extension via the Service Management API. This information can be also useful when needing to retrieve details about a previously added Remote Desktop extension.

When Remote Desktop is enabled by using the extension model (e.g. enabling Remote Desktop via the portal), the operation logs in the Azure Management Portal (in the Management Services section) will show a new operation – AddHostedServiceExtension. If you were to look at the details for this extension, you would see something similar to the following:

<SubscriptionOperation xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
     <OperationId>ae0fcdb1-xxxxxxxxxxxxxx</OperationId>
     <OperationObjectId>/0bbbc191-xxxxxxxxxxxxxxxxx/services/hostedservices/rdpdemo01</OperationObjectId>
     <OperationName>AddHostedServiceExtension</OperationName>
     <OperationParameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/Microsoft.WindowsAzure.ServiceManagement">
          <OperationParameter>
               <d2p1:Name>subscriptionID</d2p1:Name>
               <d2p1:Value>0bbbc191-xxxxxxxxxxxxxxxxx</d2p1:Value>
          </OperationParameter>
          <OperationParameter>
               <d2p1:Name>serviceName</d2p1:Name>
               <d2p1:Value>rdpdemo1</d2p1:Value>
          </OperationParameter>
          <OperationParameter>
               <d2p1:Name>input</d2p1:Name>
               <d2p1:Value><?xml version="1.0" encoding="utf-16"?><Extension xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/windowsazure"><ProviderNameSpace>Microsoft.Windows.Azure.Extensions</ProviderNameSpace><Type>RDP</Type><Id>RDP-a2d56066-1a78-40a9-98f3-e0a941a55a59</Id><Version>1.*</Version></Extension></d2p1:Value>
          </OperationParameter>
     </OperationParameters>
     <OperationCaller>
          <UsedServiceManagementApi>true</UsedServiceManagementApi>
          <UserEmailAddress>xxxxxxxxxx</UserEmailAddress>
          <SubscriptionCertificateThumbprint />
          <ClientIP>70.xx.xx.xx</ClientIP>
     </OperationCaller>
     <OperationStatus>
          <ID>ae0fcdb1-xxxxxxxxxxx</ID>
          <Status>Succeeded</Status>
          <HttpStatusCode>200</HttpStatusCode>
     </OperationStatus>
     <OperationStartedTime>2015-01-23T20:55:48Z</OperationStartedTime>
     <OperationCompletedTime>2015-01-23T20:55:55Z</OperationCompletedTime>
     <OperationKind>AddHostedServiceExtensionOperation</OperationKind>
</SubscriptionOperation>

A key piece of information in the above XML is the “input” OperationParameter. There are two key pieces of data here – the Type of the extension is “RDP” and the ID.  The type of “RDP” lets us know that we are looking at the correct extension – the extension which added Remote Desktop support to the Cloud Service. The ID provides a unique identifier for the specific extension’s configuration information. With that ID, we can use the Get Extension operation in the Azure Service Management  API to retrieve public configuration, which will then provide the username created when enabling Remote Desktop.

In order to retrieve the public configuration, there are three steps you will need to perform:

  1. Set up authentication with the Azure Service Management API. See the Authenticating Service Management Requests topic in MSDN for more information.
  2. Make a request to the Get Extension operation, providing the RDP extension ID retrieved from the Azure Management Portal.  For example, https://management.core.windows.net/0bbbc191-xxxxxxxxxxxxxxxx/services/hostedservices/rdpdemo1/extensions/RDP-a2d56066-1a78-40a9-98f3-e0a941a55a59. This can be done using a tool such as Fiddler, or by writing code against the Service Management API. The response should contain the base64 encoded public configuration data.
  3. Decode the public configuration. Once decoded, you will be able to find the username used when enabling RDP.
<PublicConfig xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
     <UserName>mcollier</UserName>
     <Expiration>2015-02-04 05:00:00Z</Expiration>
</PublicConfig>
Tagged with:
Posted in Microsoft Azure

Speaking at VS Live! Las Vegas

I’ll be speaking at Visual Studio Live!, March 16-20 in Las Vegas. Surrounded by your fellow industry professionals, Visual Studio Live! provides you with immediately usable training and education that will keep you relevant in the workforce.

I’ll be presenting the following sessions:

SPECIAL OFFER: As a speaker, I can extend $500 savings on the 5-day package. Register here: http://bit.ly/LVSPK09_Reg

Make sure to sure to use the code ‘LVSPK09′ to get the discount!

 

Amplify your knowledge at Visual Studio Live! Las Vegas — bring the issues that keep you up at night and prepare to leave this event with the answers, guidance and training you need.  Register now: http://bit.ly/LVSPK09_Reg

Tagged with: ,
Posted in Microsoft Azure, Speaking

2014 Blog in Review

The WordPress.com stats helper monkeys prepared a 2014 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 27,000 times in 2014. If it were a concert at Sydney Opera House, it would take about 10 sold-out performances for that many people to see it.

Click here to see the complete report.

Posted in Windows Azure

‘Tis the Season . . . for Change

For the past 19 months I have served as a Principal Cloud Architect with Aditi Technologies. Today that journey comes to an end. I have had the opportunity to work with some truly amazing, crazy-smart people at Aditi. I have worked with some wonderful clients and worked on some really interesting projects. I have seen some amazing cities I never thought I would get to see. The cloud journey at Aditi has been a wonderful journey. I’ve learned a lot. I’ve laughed a lot. I am thankful.

Staring in January 2015 I will join Microsoft as a Cloud Solution Architect (CSA). I am beyond thrilled about this next chapter in my career. Those that have known me for a while know that I have had a dream / goal of someday working for Microsoft. I have interviewed a few times in the past for various positions at Microsoft, and it just never seemed to work. It worked this time!  All things happen for a reason, and I’m very happy about the new opportunities and challenges that await.

I’m going to be taking a few weeks at the end of this year and start of 2015 to just relax. I’m behind on many “honey do” tasks. I’m behind on my XBox gamer profile as well . . . something I intend to devote time to remedying over the holiday break.

Tagged with:
Posted in Career

Azure Worker Role Changes in SDK 2.4

It’s been quite a while since we’ve seen any significant (ok, really any) changes in the boilerplate template code Visual Studio generates for Azure Cloud Services (web or worker roles). For as long as I can remember, the code has looked like this:

public override void Run()
{
    // This is a sample worker implementation. Replace with your logic.
    Trace.TraceInformation("WorkerRole.23 entry point called");

    while (true)
    {
       Thread.Sleep(10000);
       Trace.TraceInformation("Working");
    }
}

Pretty basic, right?  Just do some work forever.  If there is a failure (i.e. an unhandled exception), it’ll bubble up and out of the Run method, effectively crashing the role and Azure will restart it. The problem with this is that it didn’t effectively handle the case when the role stops – when OnStop is called. If your code was doing something at the that time, too bad, so sad.  You’re done. Microsoft released some guidance way back in January 2013 on The Right Way to Handle Azure OnStop Events. Unless you knew of this blog post, or were really good at your Bing-fu, it was too easy to just use the Visual Studio generated code. And then something happens, your code doesn’t do what you think it should (even though it does exactly what it is told to do), and bad words are uttered silently, and feelings get hurt.

Staring with Azure SDK 2.4, there is new boilerplate code generated by Visual Studio.  Check this out:

public class WorkerRole : RoleEntryPoint
{
    private readonly CancellationTokenSource cancellationTokenSource = new CancellationTokenSource();
    private readonly ManualResetEvent runCompleteEvent = new ManualResetEvent(false);

    public override void Run()
    {
        Trace.TraceInformation("WorkerRole.24 is running");

        try
        {
            this.RunAsync(this.cancellationTokenSource.Token).Wait();
        }
        finally
        {
            this.runCompleteEvent.Set();
        }
    }

    public override void OnStop()
    {
        Trace.TraceInformation("WorkerRole.24 is stopping");

        this.cancellationTokenSource.Cancel();
        this.runCompleteEvent.WaitOne();

        base.OnStop();

        Trace.TraceInformation("WorkerRole.24 has stopped");
    }

    private async Task RunAsync(CancellationToken cancellationToken)
    {
       // TODO: Replace the following with your own logic.
       while (!cancellationToken.IsCancellationRequested)
       {
           Trace.TraceInformation("Working");
           await Task.Delay(7000);
       }
    }
}

At first blush, this looks more complicated. But it really isn’t that bad. In a way, it’s doing what that Microsoft blog post from 2013 was indicating, just using cancellation tokens.

The OnStop method is actually overridden in the template now. There, the cancellation token is triggered to indicate the running thread should be cancelled, and then wait for that to happen. In the RunAsync method, we’re just waiting for that cancellation request, otherwise continue doing some business. Easy.

Keep in mind that there is still the 5 minute limit to finish, or else Azure will terminate the process.

Tagged with:
Posted in Microsoft Azure, Windows Azure
Follow Michael S. Collier's Blog on WordPress.com
Follow

Get every new post delivered to your Inbox.

Join 2,157 other followers