Custom RBAC | grant Activity log

%3CLINGO-SUB%20id%3D%22lingo-sub-470933%22%20slang%3D%22en-US%22%3ECustom%20RBAC%20%7C%20grant%20Activity%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-470933%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everybody%2C%3C%2FP%3E%3CP%3Ei%20have%20created%20a%20custom%20RBAC%20and%20defined%20the%20following%20actions%3A%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%22Microsoft.Storage%2F*%2Fread%22%2C%3CBR%20%2F%3E%22Microsoft.Storage%2FstorageAccounts%2FlistKeys%2Faction%22%2C%3CBR%20%2F%3E%22Microsoft.Network%2F*%2Fread%22%2C%3CBR%20%2F%3E%22Microsoft.Compute%2F*%2Fread%22%2C%3CBR%20%2F%3E%22Microsoft.Compute%2FvirtualMachines%2Fstart%2Faction%22%2C%3CBR%20%2F%3E%22Microsoft.Compute%2FvirtualMachines%2Frestart%2Faction%22%2C%3CBR%20%2F%3E%22Microsoft.Compute%2FvirtualMachines%2Fdeallocate%2Faction%22%2C%3CBR%20%2F%3E%22Microsoft.Compute%2FvirtualMachines%2FpowerOff%2Faction%22%2C%3CBR%20%2F%3E%22Microsoft.Authorization%2F*%2Fread%22%2C%3CBR%20%2F%3E%22Microsoft.Resources%2Fsubscriptions%2FresourceGroups%2Fread%22%2C%3CBR%20%2F%3E%22Microsoft.Insights%2FalertRules%2F*%22%2C%3CBR%20%2F%3E%22Microsoft.Insights%2FdiagnosticSettings%2F*%22%2C%3CBR%20%2F%3E%22Microsoft.Insights%2FActivityLogAlerts%2F*%22%2C%3CBR%20%2F%3E%22Microsoft.Insights%2FLogs%2FAzureActivity%2FRead%22%2C%3CBR%20%2F%3E%22Microsoft.Insights%2Feventtypes%2Fvalues%2FRead%22%2C%3CBR%20%2F%3E%22Microsoft.Insights%2FEventCategories%2FRead%22%2C%3CBR%20%2F%3E%22Microsoft.DevTestLab%2Fschedules%2F*%22%2C%3CBR%20%2F%3E%22Microsoft.DevTestLab%2Flabs%2Fschedules%2F*%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20Azure%20Portal%20a%20user%20who%20is%20authorized%20by%20the%20created%20RBAC%20can%20download%20the%20logs%20as%20.csv%20in%20the%20Activity%20Log%20but%20cannot%20directly%20view%20them%20in%20the%20portal.%3CBR%20%2F%3EDoes%20anyone%20have%20an%20idea%20which%20action%20is%20missing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-470933%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-478187%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20RBAC%20%7C%20grant%20Activity%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-478187%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F203847%22%20target%3D%22_blank%22%3E%40Christian%20Scharf%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3Ecan%20you%20explain%20your%20goal%3F%3C%2FP%3E%0A%3CP%3EI%20have%20created%20a%20Custom%20Role%20in%20my%20tenant%20and%20add%20a%20test%20user%20to%20it.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20I%20login%20to%20the%20Azure%20portal%20with%20the%20test%20user%2C%20I%C2%B4m%20now%20able%20to%20view%20all%20the%20logs%20under%20Azure%20Monitor%20in%20the%20action%20log.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOr%20did%20you%20need%20to%20see%20in%20each%20resource%20group%20the%20activity%20log%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMany%20greetings%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-482489%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20RBAC%20%7C%20grant%20Activity%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482489%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F176164%22%20target%3D%22_blank%22%3E%40Gregor%20Reimling%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ein%20the%20Azure%20Monitor%20I%20can%20also%20see%20the%20logs.%3CBR%20%2F%3EMy%20goal%20as%20you%20described%20is%20to%20have%20the%20activity%20log%20in%20every%20resource.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20work%20so%20far.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1856907%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20RBAC%20%7C%20grant%20Activity%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1856907%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F203847%22%20target%3D%22_blank%22%3E%40Christian%20Scharf%3C%2FA%3E%26nbsp%3B%20Did%20you%20get%20to%20a%20solution%20on%20this%20%3F%20have%20similiar%20issue%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello everybody,

i have created a custom RBAC and defined the following actions:


"Microsoft.Storage/*/read",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Insights/ActivityLogAlerts/*",
"Microsoft.Insights/Logs/AzureActivity/Read",
"Microsoft.Insights/eventtypes/values/Read",
"Microsoft.Insights/EventCategories/Read",
"Microsoft.DevTestLab/schedules/*",
"Microsoft.DevTestLab/labs/schedules/*"

 

In the Azure Portal a user who is authorized by the created RBAC can download the logs as .csv in the Activity Log but cannot directly view them in the portal.
Does anyone have an idea which action is missing?

3 Replies

Hi @Christian Scharf.

can you explain your goal?

I have created a Custom Role in my tenant and add a test user to it. 

When I login to the Azure portal with the test user, I´m now able to view all the logs under Azure Monitor in the action log. 

 

Or did you need to see in each resource group the activity log? 

 

Many greetings

 

Hi, @Gregor Reimling,

 

in the Azure Monitor I can also see the logs.
My goal as you described is to have the activity log in every resource.

 

Thank you for your work so far.

@Christian Scharf  Did you get to a solution on this ? have similiar issue