Kusto Query Snippets

Find Azure Permissions changes on the platform

Make sure Diagnostic Settings are enabled on the subscription and you are exporting the Security category. Run the query below on the Log Analytics workspace to find recently changed permissions.

Run the below query.

let JoinedLogs = AzureActivity
    | where OperationNameValue has "Microsoft.Authorization/roleAssignments"
    | join kind=inner (
        AzureActivity
        )
        on CorrelationId, TimeGenerated;
JoinedLogs
| extend AssignmentPropertiesRaw = iif(ActivityStatusValue startswith 'Start', parse_json(tostring(parse_json(Properties1).requestbody)).Properties, parse_json(tostring(parse_json(Properties).responseBody)).properties)
| extend AssignmentProperties = parse_json(tolower(AssignmentPropertiesRaw))
| extend ScopeSegments = split(iif(strlen(ResourceId) == 0, _ResourceId, ResourceId), '/')
| extend ScopeLevel = case(array_length(ScopeSegments) == 5, "Managementgroup", array_length(ScopeSegments) == 7, "Subscription", array_length(ScopeSegments) == 9, "Resourcegroup", array_length(ScopeSegments) >= 11, "Resource", "Unknown")
| extend ResourceType = iif(ScopeLevel =~ 'Resource', strcat(ScopeSegments[6], '/', ScopeSegments[7]), '')
| extend ResourceName = iif(ScopeLevel =~ 'Resource', tostring(ScopeSegments[8]), '')
| project
    TimeGenerated,
    ScopeLevel,
    ResourceType,
    ResourceName,
    ResourceId = iif(strlen(ResourceId) == 0, _ResourceId, ResourceId),
    ResourceGroup,
    SubscriptionId,
    Caller,
    OperationName = iff( OperationNameValue endswith 'WRITE', tostring('Create role assignment'), tostring('Delete role assignment')),
    AssignmentId = iif(strlen(Resource) == 0, parse_json(Properties).resource, Resource),
    AssignmentPrincipalType = iff(isnotempty(AssignmentProperties.principaltype), AssignmentProperties.principaltype, AssignmentProperties.assignmenttype),
    AssignmentPrincipalId = iff(isnotempty(AssignmentProperties.principalid), AssignmentProperties.principalid, AssignmentProperties.AssignmentPrincipalId),
    AssignmentDescription = AssignmentProperties.description,
    AssignmentCreatedBy = AssignmentProperties.createdby,
    AssignmentCreatedOn = AssignmentProperties.createdon,
    AssignmentRoleDefinition = split(AssignmentProperties.roledefinitionid, '/')[-1],
    CorrelationId
| where AssignmentPrincipalType != ''

which results in a similar reply.

Role Assignments