|
| 1 | +--- |
| 2 | +title: Alert on privileged Azure role assignments |
| 3 | +description: Alert on privileged Azure role assignments by creating an alert rule using Azure Monitor. |
| 4 | +services: role-based-access-control |
| 5 | +author: rolyon |
| 6 | +manager: karenhoran |
| 7 | +ms.service: role-based-access-control |
| 8 | +ms.topic: how-to |
| 9 | +ms.workload: identity |
| 10 | +ms.date: 07/29/2022 |
| 11 | +ms.author: rolyon |
| 12 | +--- |
| 13 | + |
| 14 | +# Alert on privileged Azure role assignments |
| 15 | + |
| 16 | +Privileged Azure roles, such as Contributor, Owner, or User Access Administrator, are powerful roles and may introduce risk into your system. You might want to be notified by email or text message when these or other roles are assigned. This article describes how to get notified of privileged role assignments at a subscription scope by creating an alert rule using Azure Monitor. |
| 17 | + |
| 18 | +## Prerequisites |
| 19 | + |
| 20 | +To create an alert rule, you must have: |
| 21 | + |
| 22 | +- Access to an Azure subscription |
| 23 | +- Permission to create resource groups and resources within the subscription |
| 24 | +- [Log Analytics configured](../azure-monitor/logs/quick-create-workspace.md) so it has access to the AzureActivity table |
| 25 | + |
| 26 | +## Estimate costs before using Azure Monitor |
| 27 | + |
| 28 | +There's a cost associated with using Azure Monitor and alert rules. The cost is based on the frequency the query is executed and the notifications selected. For more information, see [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/). |
| 29 | + |
| 30 | +## Create an alert rule |
| 31 | + |
| 32 | +To get notified of privileged role assignments, you create an alert rule in Azure Monitor. |
| 33 | + |
| 34 | +1. Sign in to the [Azure portal](https://portal.azure.com). |
| 35 | + |
| 36 | +1. Navigate to **Monitor**. |
| 37 | + |
| 38 | +1. In the left navigation, click **Alerts**. |
| 39 | + |
| 40 | +1. Click **Create** > **Alert rule**. The **Create an alert rule** page opens. |
| 41 | + |
| 42 | +1. On the **Scope** tab, select your subscription. |
| 43 | + |
| 44 | +1. On the **Condition** tab, select the **Custom log search** signal name. |
| 45 | + |
| 46 | +1. In the **Log query** box, add the following Kusto query that will run on the subscription's log and trigger the alert. |
| 47 | + |
| 48 | + This query filters for attempts to assign the [Contributor](built-in-roles.md#contributor), [Owner](built-in-roles.md#owner), or [User Access Administrator](built-in-roles.md#user-access-administrator) roles at the scope of the selected subscription. |
| 49 | + |
| 50 | + ```kusto |
| 51 | + AzureActivity |
| 52 | + | where CategoryValue == "Administrative" and |
| 53 | + OperationNameValue == "Microsoft.Authorization/roleAssignments/write" and |
| 54 | + (ActivityStatusValue == "Start" or ActivityStatus == "Started") |
| 55 | + | extend RoleDefinition = extractjson("$.Properties.RoleDefinitionId",tostring(Properties_d.requestbody),typeof(string)) |
| 56 | + | extend PrincipalId = extractjson("$.Properties.PrincipalId",tostring(Properties_d.requestbody),typeof(string)) |
| 57 | + | extend PrincipalType = extractjson("$.Properties.PrincipalType",tostring(Properties_d.requestbody),typeof(string)) |
| 58 | + | extend Scope = extractjson("$.Properties.Scope",tostring(Properties_d.requestbody),typeof(string)) |
| 59 | + | where Scope !contains "resourcegroups" |
| 60 | + | extend RoleId = split(RoleDefinition,'/')[-1] |
| 61 | + | extend RoleDisplayName = case( |
| 62 | + RoleId == 'b24988ac-6180-42a0-ab88-20f7382dd24c', "Contributor", |
| 63 | + RoleId == '8e3af657-a8ff-443c-a75c-2fe8c4bcb635', "Owner", |
| 64 | + RoleId == '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9', "User Access Administrator", |
| 65 | + "Irrelevant") |
| 66 | + | where RoleDisplayName != "Irrelevant" |
| 67 | + | project TimeGenerated,Scope, PrincipalId,PrincipalType,RoleDisplayName |
| 68 | + ``` |
| 69 | +
|
| 70 | + :::image type="content" source="./media/role-assignments-alert/alert-rule-condition.png" alt-text="Screenshot of Create an alert rule condition tab in Azure Monitor." lightbox="./media/role-assignments-alert/alert-rule-condition.png"::: |
| 71 | +
|
| 72 | +1. In the **Measurement** section, set the following values: |
| 73 | +
|
| 74 | + - **Measure**: Table rows |
| 75 | + - **Aggregation type**: Count |
| 76 | + - **Aggregation granularity**: 5 minutes |
| 77 | +
|
| 78 | + For **Aggregation granularity**, you can change the default value to a frequency you desire. |
| 79 | +
|
| 80 | +1. In the **Split by dimensions** section, set **Resource ID column** to **Don't split**. |
| 81 | +
|
| 82 | +1. In the **Alert logic** section, set the following values: |
| 83 | +
|
| 84 | + - **Operator**: Greater than |
| 85 | + - **Threshold value**: 0 |
| 86 | + - **Frequency of evaluation**: 5 minutes |
| 87 | +
|
| 88 | + For **Frequency of evaluation**, you can change the default value to a frequency you desire. |
| 89 | +
|
| 90 | +1. On the **Actions** tab, create an action group or select an existing action group. |
| 91 | +
|
| 92 | + An action group defines the actions and notifications that are executed when the alert is triggered. |
| 93 | +
|
| 94 | + When you create an action group, you must specify the resource group to put the action group within. Then, select the notifications (Email/SMS message/Push/Voice action) to invoke when the alert rule triggers. You can skip the **Actions** and **Tag** tabs. For more information, see [Create and manage action groups in the Azure portal](../azure-monitor/alerts/action-groups.md). |
| 95 | +
|
| 96 | +1. On the **Details** tab, select the resource group to save the alert rule. |
| 97 | +
|
| 98 | +1. In the **Alert rule details** section, select a **Severity** and specify an **Alert rule name**. |
| 99 | +
|
| 100 | +1. For **Region**, you can select any region since Azure activity logs are global. |
| 101 | +
|
| 102 | +1. Skip the **Tags** tab. |
| 103 | +
|
| 104 | +1. On the **Review + create** tab, click **Create** to create your alert rule. |
| 105 | +
|
| 106 | +## Test the alert rule |
| 107 | +
|
| 108 | +Once you've created an alert rule, you can test that it fires. |
| 109 | +
|
| 110 | +1. Assign the Contributor, Owner, or User Access Administrator role at subscription scope. For more information, see [Assign Azure roles using the Azure portal](role-assignments-portal.md). |
| 111 | +
|
| 112 | +1. Wait a few minutes to receive the alert based on the aggregation granularity and the frequency of evaluation of the log query. |
| 113 | +
|
| 114 | +1. On the **Alerts** page, monitor for alert you specified in the action group. |
| 115 | +
|
| 116 | + :::image type="content" source="./media/role-assignments-alert/alert-fired.png" alt-text="Screenshot of the Alerts page showing that role assignment alert fired." lightbox="./media/role-assignments-alert/alert-fired.png"::: |
| 117 | +
|
| 118 | + The following image shows an example of the email alert. |
| 119 | +
|
| 120 | + :::image type="content" source="./media/role-assignments-alert/alert-email.png" alt-text="Screenshot of an email alert for a role assignment." lightbox="./media/role-assignments-alert/alert-email.png"::: |
| 121 | +
|
| 122 | +## Delete the alert rule |
| 123 | +
|
| 124 | +Follow these steps to delete the role assignment alert rule and stop additional costs. |
| 125 | +
|
| 126 | +1. In **Monitor**, navigate to **Alerts**. |
| 127 | +
|
| 128 | +1. In the bar, click **Alert rules**. |
| 129 | +
|
| 130 | +1. Add a checkmark next to the alert rule you want to delete. |
| 131 | +
|
| 132 | +1. Click **Delete** to remove the alert. |
| 133 | +
|
| 134 | +## Next steps |
| 135 | +
|
| 136 | +- [Create, view, and manage activity log alerts by using Azure Monitor](../azure-monitor/alerts/alerts-activity-log.md) |
| 137 | +- [View activity logs for Azure RBAC changes](change-history-report.md) |
0 commit comments