(PowerShell) Azure Monitor - List Activity Logs

Provides the list of records from the activity logs.

Note: The $filter criteria cannot specify a time range that begins more than 90 days in the past.

For more information, see https://docs.microsoft.com/en-us/rest/api/monitor/activitylogs/list

Chilkat .NET Downloads Chilkat .NET Assemblies

Add-Type -Path "C:\chilkat\ChilkatDotNet47-9.5.0-x64\ChilkatDotNet47.dll"

# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

$http = New-Object Chilkat.Http

# Load an OAuth2 access token previously fetched by this example:  Get Azure OAuth2 Access Token
$jsonToken = New-Object Chilkat.JsonObject
$success = $jsonToken.LoadFile("qa_data/tokens/azureToken.json")
# Assuming success..
$http.AuthToken = $jsonToken.StringOf("access_token")
$("AuthToken: " + $http.AuthToken)

$http.Accept = "application/json"

$resp = $http.QuickRequest("GET","https://management.azure.com/subscriptions/{subscriptionId}/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp%20ge%20%272019-05-16T04%3A36%3A37.6407898Z%27%20and%20eventTimestamp%20le%20%272019-06-12T04%3A36%3A37.6407898Z%27")
if ($http.LastMethodSuccess -ne $true) {
    $($http.LastErrorText)
    exit
}

$("Response Status Code: " + $resp.StatusCode)

$jsonResponse = New-Object Chilkat.JsonObject
$jsonResponse.Load($resp.BodyStr)
$jsonResponse.EmitCompact = $false
$($jsonResponse.Emit())

if ($resp.StatusCode -ne 200) {
    $("Failed.")

    exit
}

# Sample output...
# (See the parsing code below..)
# 
# Use the this online tool to generate parsing code from sample JSON: 
# Generate Parsing Code from JSON

# {
#   "value": [
#     {
#       "authorization": {
#         "action": "microsoft.support/supporttickets/write",
#         "role": "Subscription Admin",
#         "scope": "/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841"
#       },
#       "caller": "admin@contoso.com",
#       "claims": {
#         "aud": "https://management.core.windows.net/",
#         "iss": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/",
#         "iat": "1421876371",
#         "nbf": "1421876371",
#         "exp": "1421880271",
#         "ver": "1.0",
#         "http://schemas.microsoft.com/identity/claims/tenantid": "1e8d8218-c5e7-4578-9acc-9abbd5d23315 ",
#         "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd",
#         "http://schemas.microsoft.com/identity/claims/objectidentifier": "2468adf0-8211-44e3-95xq-85137af64708",
#         "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "admin@contoso.com",
#         "puid": "20030000801A118C",
#         "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM",
#         "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John",
#         "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Smith",
#         "name": "John Smith",
#         "groups": "cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c",
#         "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": " admin@contoso.com",
#         "appid": "c44b4083-3bq0-49c1-b47d-974e53cbdf3c",
#         "appidacr": "2",
#         "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
#         "http://schemas.microsoft.com/claims/authnclassreference": "1"
#       },
#       "correlationId": "1e121103-0ba6-4300-ac9d-952bb5d0c80f",
#       "description": "",
#       "eventDataId": "44ade6b4-3813-45e6-ae27-7420a95fa2f8",
#       "eventName": {
#         "value": "EndRequest",
#         "localizedValue": "End request"
#       },
#       "httpRequest": {
#         "clientRequestId": "27003b25-91d3-418f-8eb1-29e537dcb249",
#         "clientIpAddress": "192.168.35.115",
#         "method": "PUT"
#       },
#       "id": "/subscriptions/089bd33f-d4ec-47fe-8ba5-0753aa5c5b33/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841/events/44ade6b4-3813-45e6-ae27-7420a95fa2f8/ticks/635574752669792776",
#       "level": "Informational",
#       "resourceGroupName": "MSSupportGroup",
#       "resourceProviderName": {
#         "value": "microsoft.support",
#         "localizedValue": "microsoft.support"
#       },
#       "operationId": "1e121103-0ba6-4300-ac9d-952bb5d0c80f",
#       "operationName": {
#         "value": "microsoft.support/supporttickets/write",
#         "localizedValue": "microsoft.support/supporttickets/write"
#       },
#       "properties": {
#         "statusCode": "Created"
#       },
#       "status": {
#         "value": "Succeeded",
#         "localizedValue": "Succeeded"
#       },
#       "subStatus": {
#         "value": "Created",
#         "localizedValue": "Created (HTTP Status Code: 201)"
#       },
#       "eventTimestamp": "2015-01-21T22:14:26.9792776Z",
#       "submissionTimestamp": "2015-01-21T22:14:39.9936304Z",
#       "subscriptionId": "089bd33f-d4ec-47fe-8ba5-0753aa5c5b33"
#     }
#   ],
#   "nextLink": "https://management.azure.com/########-####-####-####-############$skiptoken=######"
# }
# 

$nextLink = $jsonResponse.StringOf("nextLink")
$i = 0
$count_i = $jsonResponse.SizeOfArray("value")
while ($i -lt $count_i) {
    $jsonResponse.I = $i
    $authorizationAction = $jsonResponse.StringOf("value[i].authorization.action")
    $authorizationRole = $jsonResponse.StringOf("value[i].authorization.role")
    $authorizationScope = $jsonResponse.StringOf("value[i].authorization.scope")
    $caller = $jsonResponse.StringOf("value[i].caller")
    $claimsAud = $jsonResponse.StringOf("value[i].claims.aud")
    $claimsIss = $jsonResponse.StringOf("value[i].claims.iss")
    $claimsIat = $jsonResponse.StringOf("value[i].claims.iat")
    $claimsNbf = $jsonResponse.StringOf("value[i].claims.nbf")
    $claimsExp = $jsonResponse.StringOf("value[i].claims.exp")
    $claimsVer = $jsonResponse.StringOf("value[i].claims.ver")
    $claims_identity_claims_tenantid = $jsonResponse.StringOf("value[i].claims.`"http://schemas.microsoft.com/identity/claims/tenantid`"")
    $claims_claims_authnmethodsreferences = $jsonResponse.StringOf("value[i].claims.`"http://schemas.microsoft.com/claims/authnmethodsreferences`"")
    $claims_identity_claims_objectidentifier = $jsonResponse.StringOf("value[i].claims.`"http://schemas.microsoft.com/identity/claims/objectidentifier`"")
    $claims_ws_2005_05_identity_claims_upn = $jsonResponse.StringOf("value[i].claims.`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`"")
    $claimsPuid = $jsonResponse.StringOf("value[i].claims.puid")
    $claims_ws_2005_05_identity_claims_nameidentifier = $jsonResponse.StringOf("value[i].claims.`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`"")
    $claims_ws_2005_05_identity_claims_givenname = $jsonResponse.StringOf("value[i].claims.`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`"")
    $claims_ws_2005_05_identity_claims_surname = $jsonResponse.StringOf("value[i].claims.`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`"")
    $claimsName = $jsonResponse.StringOf("value[i].claims.name")
    $claimsGroups = $jsonResponse.StringOf("value[i].claims.groups")
    $claims_ws_2005_05_identity_claims_name = $jsonResponse.StringOf("value[i].claims.`"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`"")
    $claimsAppid = $jsonResponse.StringOf("value[i].claims.appid")
    $claimsAppidacr = $jsonResponse.StringOf("value[i].claims.appidacr")
    $claims_identity_claims_scope = $jsonResponse.StringOf("value[i].claims.`"http://schemas.microsoft.com/identity/claims/scope`"")
    $claims_claims_authnclassreference = $jsonResponse.StringOf("value[i].claims.`"http://schemas.microsoft.com/claims/authnclassreference`"")
    $correlationId = $jsonResponse.StringOf("value[i].correlationId")
    $description = $jsonResponse.StringOf("value[i].description")
    $eventDataId = $jsonResponse.StringOf("value[i].eventDataId")
    $eventNameValue = $jsonResponse.StringOf("value[i].eventName.value")
    $eventNameLocalizedValue = $jsonResponse.StringOf("value[i].eventName.localizedValue")
    $httpRequestClientRequestId = $jsonResponse.StringOf("value[i].httpRequest.clientRequestId")
    $httpRequestClientIpAddress = $jsonResponse.StringOf("value[i].httpRequest.clientIpAddress")
    $httpRequestMethod = $jsonResponse.StringOf("value[i].httpRequest.method")
    $id = $jsonResponse.StringOf("value[i].id")
    $level = $jsonResponse.StringOf("value[i].level")
    $resourceGroupName = $jsonResponse.StringOf("value[i].resourceGroupName")
    $resourceProviderNameValue = $jsonResponse.StringOf("value[i].resourceProviderName.value")
    $resourceProviderNameLocalizedValue = $jsonResponse.StringOf("value[i].resourceProviderName.localizedValue")
    $operationId = $jsonResponse.StringOf("value[i].operationId")
    $operationNameValue = $jsonResponse.StringOf("value[i].operationName.value")
    $operationNameLocalizedValue = $jsonResponse.StringOf("value[i].operationName.localizedValue")
    $propertiesStatusCode = $jsonResponse.StringOf("value[i].properties.statusCode")
    $statusValue = $jsonResponse.StringOf("value[i].status.value")
    $statusLocalizedValue = $jsonResponse.StringOf("value[i].status.localizedValue")
    $subStatusValue = $jsonResponse.StringOf("value[i].subStatus.value")
    $subStatusLocalizedValue = $jsonResponse.StringOf("value[i].subStatus.localizedValue")
    $eventTimestamp = $jsonResponse.StringOf("value[i].eventTimestamp")
    $submissionTimestamp = $jsonResponse.StringOf("value[i].submissionTimestamp")
    $subscriptionId = $jsonResponse.StringOf("value[i].subscriptionId")
    $i = $i + 1
}