Tracking Changes in the Pricing Tier for Azure Security Center

Published Mar 29 2019 07:38 AM 3,782 Views

When you upgrade your Azure Security Center to Standard tier, you have the flexibility to choose which resource type you want to upgrade to Standard, which includes: Virtual Machine, SQL Server, App Service and Storage Account. 




When all resources are enabled, your subscription coverage will appear as "Fully Covered", and if you have at least one resource type that is not enabled, it will appear as "Partially covered". The video demo below shows this behavior:



In an environment where there are multiple administrators that have privilege to make changes in the pricing tier, it can be challenge to identify who made those changes, since this info is not available in the Security Center dashboard. Luckily we have Azure Activity Log to help you audit changes in your Azure environment, which includes Security Center configurations. I've talked about that previously for another scenario, and here the approach is basically the same. Go to Azure Activity Log to identify who made those changes. 


Let's say you want to identify who changed the pricing tier from "fully covered" to "partially covered" by leaving only VM resource type enabled. In the example below you have the complete sequence of changes:




Now you need to open the operation that you want to investigate to see who made the change. When opening the "Update pricing settings" operation, click JSON tab, and there you will see the info that you are looking for, as shown in the example below:



There you have the identity of the user that made the change, the time that the change was made, the resource that was affected by this change, and the type of change that was done.  


Note: You can also change the Pricing Tier using PowerShell and ARM Template.

Version history
Last update:
‎Mar 29 2019 07:45 AM
Updated by: