Announcing the Public Preview of Change Actor
Published Mar 05 2024 03:57 PM 9,863 Views
Microsoft

Change Analysis 

Identifying who made a change to your Azure resources and how the change was made just became easier! With Change Analysis, you can now see who initiated the change and with which client that change was made, for changes across all your tenants and subscriptions.  

 

Audit, troubleshoot, and govern at scale  

Changes should be available in under five minutes and are queryable for fourteen days. In addition, this support includes the ability to craft charts and pin results to Azure dashboards based on specific change queries.   

 

What’s new: Actor Functionality 

This added functionality is in private preview.  

  • Who made the change   
    • This can be either ‘AppId’ (client or Azure service) or email-ID of the user 
      • E.g. changedBy: elizabeth@contoso.com 
  • With which client the change was made 
    • E.g. clientType: portal 
  • What operation was called 

 

Try it out 

You can try it out by querying the “resourcechanges” or “resourcecontainerchanges” tables in Azure Resource Graph.  

 

Sample Queries 

Here is documentation on how to query resourcechanges and resourcecontainerchanges in Azure Resource Graph. Get resource changes - Azure Resource Graph | Microsoft Learn 

   

Summarization of who and which client were used to make resource changes in the last 7 days ordered by the number of changes 

 

resourcechanges  

| extend changeTime = todatetime(properties.changeAttributes.timestamp),  

targetResourceId = tostring(properties.targetResourceId),  

changeType = tostring(properties.changeType), changedBy = tostring(properties.changeAttributes.changedBy),  

changedByType = properties.changeAttributes.changedByType,  

clientType = tostring(properties.changeAttributes.clientType)  

| where changeTime > ago(7d)  

| project changeType, changedBy, changedByType, clientType  

| summarizecount() by changedBy, changeType, clientType  

| orderby count_ desc  

 

Summarization of who and what operations were used to make resource changes ordered by the number of changes 

 

resourcechanges  

| extend changeTime = todatetime(properties.changeAttributes.timestamp),  

targetResourceId = tostring(properties.targetResourceId), 

operation = tostring(properties.changeAttributes.operation),  

changeType = tostring(properties.changeType), changedBy = tostring(properties.changeAttributes.changedBy),  

changedByType = properties.changeAttributes.changedByType,  

clientType = tostring(properties.changeAttributes.clientType)  

| project changeType, changedBy, operation  

| summarizecount() by changedBy, operation  

| orderby count_ desc  

 

List resource container (resource group, subscription, and management group) changes. who made the change, what client was used, and which operation was called, ordered by the time of the change 

 

resourcecontainerchanges  

| extend changeTime = todatetime(properties.changeAttributes.timestamp),  

targetResourceId = tostring(properties.targetResourceId),  

operation=tostring(properties.changeAttributes.operation),  

changeType = tostring(properties.changeType), changedBy = tostring(properties.changeAttributes.changedBy),  

changedByType = properties.changeAttributes.changedByType,  

clientType = tostring(properties.changeAttributes.clientType)  

| project changeTime, changeType, changedBy, changedByType, clientType, operation, targetResourceId  

| orderby changeTime desc  

 

FAQ 

How do I use Change Analysis? 

Change Analysis can be used by querying the resourcechanges or resourcecontainterchanges tables in Azure Resource Graph, such as with Azure Resource Graph Explorer in the Azure Portal or through the Azure Resource Graph APIs. More information can be found here: Get resource changes - Azure Resource Graph | Microsoft Learn.  

   

What does unknown mean? 

Unknown is displayed when the change happened on a client that is unrecognized.

 

Why are some of the changedBy values unspecified? 

Some resources in the resourcechanges tables are not fully covered yet in the change actor functionality. This could be caused by a resource that has been affected by a system change or the RP needs to first send us the Who/How information. Unspecified is displayed when the resource is missing changedByType values and could be missing for either Creates or Updates. You may also see an increase in Unspecified values for these types,  

  • virtualmachines 
  • virtualmachinescalesets 
  • publicipaddresses 
  • disks 
  • networkinterfaces  

 

What resources are included? 
You can try it out by querying the “resourcechanges” or “resourcecontainerchanges” tables in Azure Resource Graph.   

 

Questions and Feedback 

 

5 Comments
Co-Authors
Version history
Last update:
‎Mar 05 2024 03:57 PM
Updated by: