Jump to content
Free PC Help Forum
Logging In to Free PC Help Forum Has Changed

Announcing the General Availability of Change Actor

Guest IanCarter

By Guest IanCarter
in Microsoft Support & Discussions

 Share

Recommended Posts

Guest IanCarter

Guest IanCarter

Posted
Posted

Change Analysis

 

Identifying who made a change to your Azure resources and how the change was made just became easier! With Change Analysis, you can now see who initiated the change and with which client that change was made, for changes across all your tenants and subscriptions. 

 

 

Audit, troubleshoot, and govern at scale 

 

Changes should be available in under five minutes and are queryable for fourteen days. In addition, this support includes the ability to craft charts and pin results to Azure dashboards based on specific change queries.  

 

 

What’s new: Actor Functionality  

 

  • Who made the change 
    • This can be either ‘AppId’ (client or Azure service) or email-ID of the user
    • changedBy: elizabeth@contoso.com

  •        With which client the change was made
    • clientType: portal

 

 

 

Try it out

 

You can try it out by querying the “resourcechanges” or “resourcecontainerchanges” tables in Azure Resource Graph. 

 

 

 

Sample Queries

 

Here is documentation on how to query resourcechanges and resourcecontainerchanges in Azure Resource Graph. Get resource changes - Azure Resource Graph | Microsoft Learn

 

 

The following queries all show changes made within the last 7 days.

 

Summarization of who and which client were used to make resource changes in the last 7 days ordered by the number of changes

 

 

resourcechanges 

 

| extend changeTime = todatetime(properties.changeAttributes.timestamp), 

 

targetResourceId = tostring(properties.targetResourceId), 

 

changeType = tostring(properties.changeType), changedBy = tostring(properties.changeAttributes.changedBy), 

 

changedByType = properties.changeAttributes.changedByType, 

 

clientType = tostring(properties.changeAttributes.clientType) 

 

| where changeTime > ago(7d) 

 

| project changeType, changedBy, changedByType, clientType 

 

| summarize count() by changedBy, changeType, clientType 

 

| order by count_ desc 

 

 

Summarization of who and what operations were used to make resource changes ordered by the number of changes

 

 

resourcechanges 

 

| extend changeTime = todatetime(properties.changeAttributes.timestamp), 

 

targetResourceId = tostring(properties.targetResourceId),

 

operation = tostring(properties.changeAttributes.operation), 

 

changeType = tostring(properties.changeType), changedBy = tostring(properties.changeAttributes.changedBy), 

 

changedByType = properties.changeAttributes.changedByType, 

 

clientType = tostring(properties.changeAttributes.clientType) 

 

| project changeType, changedBy, operation 

 

| summarize count() by changedBy, operation 

 

| order by count_ desc 

 

 

 

List resource container (resource group, subscription, and management group) changes. who made the change, what client was used, and which operation was called, ordered by the time of the change

 

 

resourcecontainerchanges 

 

| extend changeTime = todatetime(properties.changeAttributes.timestamp), 

 

targetResourceId = tostring(properties.targetResourceId), 

 

operation=tostring(properties.changeAttributes.operation), 

 

changeType = tostring(properties.changeType), changedBy = tostring(properties.changeAttributes.changedBy), 

 

changedByType = properties.changeAttributes.changedByType, 

 

clientType = tostring(properties.changeAttributes.clientType) 

 

| project changeTime, changeType, changedBy, changedByType, clientType, operation, targetResourceId 

 

| order by changeTime desc 

 

 

 

 

FAQ

 

How do I use Change Analysis?

 

Change Analysis can be used by querying the resourcechanges or resourcecontainerchanges tables in Azure Resource Graph, such as with Azure Resource Graph Explorer in the Azure Portal or through the Azure Resource Graph APIs.

 

More information can be found here: Get resource changes - Azure Resource Graph | Microsoft Learn.

 

  

 

What does unknown mean?

 

Unknown is displayed when the change happened on a client that is unrecognized. Clients are recognized based on the user agent and client application id associated with the original change request.

 

 

 

What does System mean?

 

System is displayed as a changedBy value when a background change occurred that wasn’t correlated with any direct user action.

 

 

 

What resources are included?

You can try it out by querying the “resourcechanges” or “resourcecontainerchanges” tables in Azure Resource Graph. 

 

 

 

Questions and Feedback 

 

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...