Skip to content

Commit 525533a

Browse files
committed
View elevate access log entries in the Directory audit logs
1 parent cd3a6b6 commit 525533a

File tree

1 file changed

+38
-3
lines changed

1 file changed

+38
-3
lines changed

articles/role-based-access-control/elevate-access-global-admin.md

Lines changed: 38 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -337,15 +337,46 @@ When you call `elevateAccess`, you create a role assignment for yourself, so to
337337
338338
---
339339
340-
## View elevate access log entries in the Directory Activity logs
340+
## View elevate access log entries
341+
342+
When access is elevated, an entry is added to the logs. As a Global Administrator in Microsoft Entra ID, you might want to check when access was elevated and who did it. Elevate access log entries appear in both the Directory audit logs (Preview) and the Directory Activity logs. This section describes different ways that you can view the elevate access log entries.
343+
344+
### Directory audit logs (Preview)
345+
346+
> [!IMPORTANT]
347+
> Elevate access log entries in the Directory audit logs is currently in preview.
348+
> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
349+
> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
350+
351+
1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.
352+
353+
1. Browse to **Microsoft Entra ID** > **Monitoring ** > **Audit logs**.
354+
355+
1. In the **Service** filter, select **Azure RBAC (Elevated Access)** and then select **Apply**.
356+
357+
Elevated access logs are displayed.
358+
359+
1. To view when access was elevated, select one of the following audit logs to view the details.
360+
361+
`User has elevated their access to User Access Administrator for their Azure Resources`
362+
363+
1. To view when elevated access was removed, select one of the following audit logs to view the details.
364+
365+
`The role assignment of User Access Administrator has been removed from the user`
366+
367+
1. To download and view the payload of the events in the JSON format, select **Download** and **JSON**.
368+
369+
### Directory Activity logs
341370
342371
When access is elevated, an entry is added to the logs. As a Global Administrator in Microsoft Entra ID, you might want to check when access was elevated and who did it. Elevate access log entries do not appear in the standard activity logs, but instead appear in the Directory Activity logs. This section describes different ways that you can view the elevate access log entries.
343372
344-
### View elevate access log entries using the Azure portal
373+
# [Azure portal](#tab/azure-portal)
374+
375+
#### View elevate access log entries using the Azure portal
345376
346377
1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.
347378
348-
1. Open **Monitor** > **Activity log**.
379+
1. Browse to **Monitor** > **Activity log**.
349380
350381
1. Change the **Activity** list to **Directory Activity**.
351382
@@ -355,6 +386,8 @@ When access is elevated, an entry is added to the logs. As a Global Administrato
355386
356387
![Screenshot showing directory activity logs in Monitor.](./media/elevate-access-global-admin/monitor-directory-activity.png)
357388
389+
# [Azure CLI](#tab/azure-cli)
390+
358391
### View elevate access log entries using Azure CLI
359392
360393
1. Use the [az login](/cli/azure/reference-index#az-login) command to sign in as Global Administrator.
@@ -412,6 +445,8 @@ A user in the group can now periodically run the [az rest](/cli/azure/reference-
412445
az rest --url "https://management.azure.com/providers/Microsoft.Insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2021-09-10T20:00:00Z'" > output.txt
413446
```
414447

448+
---
449+
415450
## Next steps
416451

417452
- [Understand the different roles](rbac-and-directory-admin-roles.md)

0 commit comments

Comments
 (0)