Azure Audit

  • Published on Oct 30, 2025
  • 4 minute(s) read
Prev Next

Azure Compute Services are the core set of cloud computing services that allow you to deploy and manage workloads on Microsoft Azure. These services provide the infrastructure, tools, and platforms for computing and storage needs.

For detailed information, please refer to the Microsoft’s official documentation.

Integration Method: Azure Blob
Tables: Group Management (3006), Entity Management (3004), Authorize Session (3003), Account Change (3001), User Access Management (3005)

Event

Description

User Management

List of activities that log changes to user accounts like create, update, delete users, license assignments, password resets.

Device

List of activities that track changes to device properties and templates for managed devices.

Application Management

List of activities that capture application changes such as app registrations, updates, deletions, and service principal modifications.

Role Management

List of activities that track creation, updates, and deletions of roles and role assignments.

Group Management

List of activities that log group operations including creation, updates, and membership changes.

Authorization

List of activities that record permission grants, consents, and other authorization-related actions.

Provisioning Management

List of activities that track provisioning operations from identity providers or external services.

Contact

List of activities that log creation, updates, and deletions of contact directory objects.

Administrative Unit

List of activities that log creation, updates, deletions, and membership changes for administrative units.

Note:

Microsoft Azure is a continuously updated cloud service. As of this document preparation, the latest release was in September 2025.

Prerequisites

  • The user should have access to the Azure portal with an account that has the Global Administrator privilege.

  • The user should have access to the DataBee console.

Configuration Overview

  1. Create an application with required permissions to fetch the data.

  2. Add the Azure Audit data feed in the DataBee console with the below parameters.

    DataBee Parameter

    Azure Resource Logs Parameter

    Client ID

    Application (client) ID

    Client Secret

    Client Secret Value

    Tenant ID

    Directory (Tenant) ID

    Blob Account Name

    Storage Account Name

    Blob Container Name

    Container Name

    Azure Queue Name

    Queue Name

Azure Audit Logs Configuration

To create an Azure Blob storage, need to follow below steps

Create an application

  1. Log on to Azure with a user account that has the Global Administrator privilege.

  2. In the search bar, search for App registrations and select it.
     

  3. On the “App registrations” page click on the New registration, the “Register an application” window will appear.
     

  4. On the “Register an application” window:

    1. Under Name enter your Application Name then click on Register to create the application.

     

  5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
     

Create client secret

  1. Select the application created above.

  2. Under Manage, click Certificates & secrets, and then click on Client secrets.
     

  3. Click New client secret. “Add a client secret” window appears.
     

  4. In “Add a client secret” window:

    1. Enter a Description for this client secret and select the desired expiry period from the Expires drop-list.

    2. Then click on Add to create the client secret.

     

    Note:

    The user needs to re-create the client secret when it expires

  5. Copy the Value fields for later use.
     

Create Storage Account

  1. Navigate to the home page and search for the Storage accounts.
     

  2. To create a new storage account, ensure the user has the necessary permissions to create one and follow the steps outlined here. To use an existing storage account, proceed to step 3.

  3. Open the Storage accounts, locate and select the desired storage account. Copy the Storage Account Name for future reference.
     

Assign Role to Application

  1. In storage account, assign the created Azure AD App to a Role that grants access to the storage blob.

  2. Navigate to Access Control (IAM) under the Storage accounts and click on Add.
     

  3. Assign the appropriate role for the Application.

    Role

    Description

    Storage Blob Data Contributor

    Allows read/write/delete access to blob objects.

    Storage Queue Data Contributor

    Allows to send/read/delete messages in queues.

    Storage Account Contributor

    Provides full control over the storage account.

  1. In the Add role assignment pane, use the search bar to type the desired role and select it from the list. Once selected, click Next.
     

  2. Select the member for the role assignment.

    1. Click on Select members.

    2. Search for the application created during the app registration process and click on Select.

     

  3. Click Next to continue.
     

  4. Click Next to continue.
     

  5. Click Review + Assign to finalize the role assignment.
     

  6. To verify the role assignment

    1. Navigate to Access Control (IAM) > Role assignments

    2. Search for the application and assigned role for storage blob would be visible.

     

Creating a Queue for Blob Storage

  1. To read the data from blob storage we need a queue.

  2. In the storage account, Click on Data storage > Queues.

  3. Go to Queues and click on + Queue to create a new queue.

    1. Enter a queue name and click on OK.

     

  4. To set up event notification, go to the Events tab and click on + Event Subscription.
     

  5. Provide EVENT SUBSCRIPTION DETAILS, TOPIC DETAILS and EVENT TYPES:

    1. Enter the event name.

    2. Choose Event Grid Schema as event schema.

    3. Add System Topic Name if not added already.

    4. Select Blob Created as the Filter to Event Types.

     

  6. Select Storage Queue as the Endpoint Type.
     

  7. Provide ENDPOINT DETAILS to configure the endpoint:

    1. Click on Configure an endpoint option.

    2. Select the appropriate Subscription and Storage account values.

    3. Select the Select existing queue option and choose the queue created previously.

    4. Click Select.

     

  8. Click Create to finalize the event subscription.
     

Forwarding the Audit logs to Blob Storage

To forward the Azure Audit logs of the administrative category to the blob storage account that you created, follow below steps.

  1. Navigate to the home page and search for the Audit Logs.
     

  2. Click on Export Data Settings.
     

  3. Click on Add Diagnostic Setting.
     

  4. Select the Audit Logs category and choose the Archive to a storage account. Fill the below details. Click Save.
     

  5. A new container will be created in your storage account, which will be used in the Databee configuration.
     

DataBee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     

  2. Search for Azure Audit and click it as shown below.
     

  3. Click on the Azure Blob option.
     

  4. Enter feed contact information and click Next.
     

  5. In the configuration page, confirm the following:

    • Client ID: Paste the Application ID

    • Client Secret: Paste the Secret Value

    • Tenant ID: Paste the Directory ID

     

  6. In the configuration page, confirm the Azure Blob Storage details:

    • Blob Account Name: Paste the Storage Account name

    • Blob Container Name: Paste the Storage Container name

    • Compression: none

    • Content Type: JSON Lines

    • Azure Queue Name:  Paste the Queue name

     

  7. Click Submit.

Troubleshooting Tips

  • In case of any permission errors, ensure that proper roles are assigned to the application in the storage created.