onelinecommand

Steps To Get Az Activity Across All Subscriptions

# Login to Azure

Connect-AzAccount

# Define time range

$startTime = (Get-Date).AddDays(-10)

# Initialize array to collect results

$allLogs = @()

# Get all subscriptions

$subscriptions = Get-AzSubscription

foreach ($sub in $subscriptions) {

    $subscriptionId = $sub.Id

    $subscriptionName = $sub.Name

    Select-AzSubscription -SubscriptionId $subscriptionId

    # Get all role assignments at subscription scope

    $roleAssignments = Get-AzRoleAssignment -Scope “/subscriptions/$subscriptionId” | Where-Object { $_.SignInName }

    # Create a hashtable of UPN to Role

    $userRoles = @{}

    foreach ($ra in $roleAssignments) {

        $upn = $ra.SignInName

        $role = $ra.RoleDefinitionName

        if ($userRoles.ContainsKey($upn)) {

            $userRoles[$upn] += “, $role”

        } else {

            $userRoles[$upn] = $role

        }

    }

    # Get activity logs

    $logs = Get-AzActivityLog -StartTime $startTime

    # Filter logs for users in role assignments, skip null callers

    $filteredLogs = $logs | Where-Object {

        $_.Caller -and $userRoles.ContainsKey($_.Caller)

    } | Select-Object `

        @{Name=”Timestamp”;Expression={$_.EventTimestamp}},

        @{Name=”SubscriptionId”;Expression={$subscriptionId}},

        @{Name=”SubscriptionName”;Expression={$subscriptionName}},

        @{Name=”ResourceGroup”;Expression={$_.ResourceGroupName}},

        @{Name=”ResourceType”;Expression={$_.ResourceType}},

        @{Name=”ResourceName”;Expression={$_.ResourceId.Split(“/”)[-1]}},

        @{Name=”Caller”;Expression={$_.Caller}},

        @{Name=”Role”;Expression={$userRoles[$_.Caller]}},

        @{Name=”Operation”;Expression={($_.OperationName -as [string])}},

        @{Name=”Status”;Expression={($_.Status -as [string])}}

    $allLogs += $filteredLogs

}

# Export to CSV

$csvPath = “C:\\Temp\\AzureActivityLogs_AllRoles.csv”

$allLogs | Export-Csv -Path $csvPath -NoTypeInformation

Write-Host “✅ Export complete. File saved to: $csvPath”

BreakDown:

🔐 1. Authenticate to Azure

Prompts the user to log in to Azure using their credentials.

📅 2. Define Time Range

Sets the start time for activity logs to 10 days ago.

📦 3. Initialize Results Array

Creates an empty array to store filtered activity logs.

🔄 4. Loop Through Subscriptions

Retrieves all subscriptions and loops through each one.

📌 5. Set Subscription Context

Sets the current subscription context so that subsequent commands apply to it.

👥 6. Get Role Assignments

Fetches all role assignments at the subscription level that have a valid user principal name (SignInName).

🧠 7. Map Users to Roles

Creates a hashtable mapping each user (UPN) to their assigned role(s). If a user has multiple roles, they are concatenated.

📜 8. Get Activity Logs

Retrieves activity logs for the current subscription starting from the defined time.

🔍 9. Filter Logs by Role Assignment

Filters logs to include only those initiated by users found in the role assignment list, and skips entries with null Caller.

📄 10. Format Output

Each log entry is formatted with:

  • Timestamp
  • SubscriptionId
  • SubscriptionName
  • ResourceGroup
  • ResourceType
  • ResourceName
  • Caller
  • Role
  • Operation
  • Status

📤 11. Export to CSV

Exports the final filtered and formatted logs to a CSV file.

✅ 12. Completion Message

Displays a message confirming the export.

premkumarsubramaniyan

, , , ,

Leave a comment