If I look at the Azure activity logs in Azure Portal some of the logs are initiated by Microsoft internal services like "Microsoft Azure Policy Insights". In my application we are getting the Azure activity logs using the Rest API for Activity logs. Is there a way to filter out internally generated logs (initiated by Microsoft Services) from the ones generated by actual users or applications configured in the account? I thought of using caller as a way to differentiate. For users caller has an email address assigned. But the problem with this approach is this approach will filter out any logs for applications as well. Let me if there is any other way to achieve this.
Unfortunately I don't believe there is a way to achieve this scenario.
Related
I am new to Azure and have been going through various tutorials.
I am looking specifically at Azure Monitoring using REST APIs.
What I am trying to do is get the status of various resources like Virtual Networks, AD, Load Balancers etc on a custom dashboard using REST APIs.
I have found some list of REST APIs that allow monitoring here(https://learn.microsoft.com/en-us/rest/api/monitor/)
But do they provide Resource health and Status.Also, do i have a create a new Service API Managament Resource(which is a paid resource) in the Azure Account for these APIs to run?.
Please let me know if you have any insights or reference materials on this
I don't think rest API is good for monitoring. I will suggest use Azure Monitor service under that you can use Azure resource metrics, Activity logs and service health. based on these metrics and logs you can set alert and show live data on the dashboard.
We are using Microsoft OMS for live monitoring (visualization of data) and Email/SMS for notification.
List item
Audit and receive notifications about important actions in your Azure subscription
I have some Azure Functions that I share to my partner companies who then run the Azure Functions in their own Azure subscriptions.
Occasionally the partners run into issues and reach out to me for help. I have to instruct them to manually pull the Azure Function logs and send to me via email.
Is there anyway they can grant me permission to pull the logs from their Azure Subscription?
It depends on where you have the logs.
Either way, they can grant you RBAC permission to their resource in their subscription. Generally, they have read only access options available. All resources have the same experience for modifying RBAC (but they do differ on which policies they support). It's pretty straightforward, but this doc has more information: https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
If you're using our default Storage logs, do yourself a favor and turn on App Insights because it's great. Then, if you still want to use Storage, you can get RBAC access or a SAS token and grab those logs from the Storage Account associated with the Function App. (Name should be in the AzureWebJobsDashboard setting). If you get a SAS token, you can use the Storage Explorer by choosing the SAS URI option when you connect.
If you're using App Insights, good job, you've made the right decision. You can get RBAC access to the App Insights resource and use all their great UI experience/etc. You can also get an API Key and make direct API calls against it, in the case that RBAC wouldn't work. (I would try to get RBAC access, but if that's not possible, here's a link to App Insights REST API docs: https://dev.applicationinsights.io/quickstart)
Short answer, use RBAC to get granted limited permissions (and App Insights because it's great)
I need to assign publish permission to one of my developers so that he should be able to publish to only one cloud service & do not affect others.
Azure websites have these concepts called download publishing profile.
I could not find anything similar for cloud service. Can it be
achieved?
As you know Azure Management Portal does not have any role defined where we could map a user account login to manage a set of resources (say cloud service 1 & 2)
It is not possible as of today. It seems that it should be possible with Resource Groups and Role Based Access Control (RBAC) however currently cloud services can't be added in resource groups and assigned RBAC.
One way you could achieve this is have a custom application consuming Service Management API and implement your own RBAC in that application. However it is still a "hack" and not proper solution.
Why don't you try using "publish from source control"? When the developer checks in it will auto publish the code.
I believe the new portal will allow the creation of roles for publishing profiles; it already allows adding additional users to your organization; but to get what you want for now; publishing from source code should do the trick.
I created an empty Azure cloud service and I want to allow other developers to deploy to it. So far the only route I can see is adding the developers as Azure subscription administrators. I would rather give them more specific access to the cloud services only.
No such functionality exist today which will allow you to grant/revoke permissions at the cloud service level. Once a developer is provided access to the subscription, they would have access to all the resources under that subscription.
There's a REST API behind cloud service deployments and all the tools (including Windows Azure Portal and Visual Studio) consume this API for creating deployments. One possible solution would be to build your own solution consuming this API. In this solution you will implement access control based on your requirements so that when your user use this service, they will only see the cloud service they're assigned to and can only manage that cloud service. There's a managed library for consuming this API. You can find more information here: http://www.bradygaster.com/post/getting-started-with-the-windows-azure-management-libraries.
It seems that if the original developer downloads the publish profile from Azure (it's an xml file that with a .PublishSettings extension), you can copy the userPWD from that file, give it to another developer and they can paste it into the password field in the Connection section of the Publish dialog.
The userPWD is a string that looks something like this:
EFFCLfDqDKHlXcA2YDZPvX4BZXWFaobxaLN0aPJd4HCfa8WxlqEkt2yywBsx
Is there any API or class that helps the user to programmatically pull the details of hosted services in azure if user key-in's subscription id.
I could do the above with references you guys referred.
IS there any possibility to get Subscription details like subscription Name using Windows Azure API's
You would need both subscription id and the management certificate from the user. Once you have these two things, you could use Windows Azure Service Management REST API: http://msdn.microsoft.com/en-us/library/windowsazure/ee460799.aspx to get details about the hosted services.
have a look at the Service Management REST API
for security reasons, it's not going to be as easy as entering a subscription id though.