Microsoft Azureintermediate

How to Enable Azure Activity Logs and Monitoring

Step-by-step guide to configuring Azure Activity Logs with diagnostic settings, Log Analytics workspace integration, and retention policies for comprehensive cloud monitoring.

9 min readUpdated 2026-01-13

Azure Activity Logs provide a comprehensive audit trail of subscription-level events, essential for security monitoring, compliance, and troubleshooting. This guide walks you through configuring diagnostic settings, setting up a Log Analytics workspace, and establishing appropriate retention policies.

This article is part of our comprehensive guide on Cloud Security Tips for 2026, which covers essential security practices across all major cloud platforms.

Overview

Azure Activity Logs capture operations performed on resources in your subscription at the management plane level. These logs include:

  • Administrative operations: Resource creation, modification, and deletion
  • Service health events: Azure service incidents and planned maintenance
  • Resource health events: Health status changes for your resources
  • Alert events: Azure Monitor alert activations
  • Autoscale events: Scale operations on VM scale sets and App Services
  • Policy events: Azure Policy deny and audit actions
  • Security events: Microsoft Defender for Cloud alerts

By default, Activity Logs are retained for 90 days and accessible only through the Azure Portal. To retain logs longer, enable alerting, or integrate with external systems, you must configure diagnostic settings.

Prerequisites

Before configuring Activity Log monitoring, ensure you have:

  • Azure subscription with Owner or Contributor role
  • Log Analytics workspace (we'll create one if needed)
  • Understanding of retention requirements for compliance
  • Azure CLI or Azure Portal access
  • Familiarity with Kusto Query Language (KQL) for log analysis

Step 1: Create a Log Analytics Workspace

A Log Analytics workspace serves as the central repository for Activity Logs and enables querying, alerting, and visualization.

Create Workspace via Azure Portal

  1. Sign in to the Azure Portal
  2. Search for Log Analytics workspaces and select it
  3. Click + Create
  4. Configure the workspace:
    • Subscription: Select your subscription
    • Resource group: Create new or select existing
    • Name: Enter a unique name (e.g., law-security-prod-001)
    • Region: Select a region close to your resources
  5. Click Review + Create, then Create

Create Workspace via Azure CLI

# Set variables
RESOURCE_GROUP="rg-security-monitoring"
WORKSPACE_NAME="law-security-prod-001"
LOCATION="eastus"

# Create resource group
az group create \
  --name $RESOURCE_GROUP \
  --location $LOCATION

# Create Log Analytics workspace
az monitor log-analytics workspace create \
  --resource-group $RESOURCE_GROUP \
  --workspace-name $WORKSPACE_NAME \
  --location $LOCATION \
  --sku PerGB2018 \
  --retention-time 365

# Get workspace ID for later use
WORKSPACE_ID=$(az monitor log-analytics workspace show \
  --resource-group $RESOURCE_GROUP \
  --workspace-name $WORKSPACE_NAME \
  --query id -o tsv)

echo "Workspace ID: $WORKSPACE_ID"

Step 2: Configure Diagnostic Settings for Activity Logs

Diagnostic settings route Activity Logs to your chosen destinations: Log Analytics, Storage account, or Event Hub.

Configure via Azure Portal

  1. Navigate to Monitor > Activity log
  2. Click Export Activity Logs or Diagnostic settings
  3. Click + Add diagnostic setting
  4. Configure the setting:
    • Diagnostic setting name: activity-logs-to-law
    • Log categories: Select all categories:
      • Administrative
      • Security
      • ServiceHealth
      • Alert
      • Recommendation
      • Policy
      • Autoscale
      • ResourceHealth
    • Destination details:
      • Check Send to Log Analytics workspace
      • Select your subscription and workspace
  5. Click Save

Configure via Azure CLI

# Get subscription ID
SUBSCRIPTION_ID=$(az account show --query id -o tsv)

# Create diagnostic setting for Activity Logs
az monitor diagnostic-settings subscription create \
  --name "activity-logs-to-law" \
  --subscription $SUBSCRIPTION_ID \
  --workspace $WORKSPACE_ID \
  --logs '[
    {"category": "Administrative", "enabled": true},
    {"category": "Security", "enabled": true},
    {"category": "ServiceHealth", "enabled": true},
    {"category": "Alert", "enabled": true},
    {"category": "Recommendation", "enabled": true},
    {"category": "Policy", "enabled": true},
    {"category": "Autoscale", "enabled": true},
    {"category": "ResourceHealth", "enabled": true}
  ]'

# Verify the diagnostic setting
az monitor diagnostic-settings subscription show \
  --name "activity-logs-to-law" \
  --subscription $SUBSCRIPTION_ID

Archive to Storage Account (Optional)

For long-term retention beyond Log Analytics limits:

# Create storage account for log archival
STORAGE_ACCOUNT="stlogarchive$(date +%s)"
az storage account create \
  --resource-group $RESOURCE_GROUP \
  --name $STORAGE_ACCOUNT \
  --location $LOCATION \
  --sku Standard_LRS \
  --kind StorageV2 \
  --https-only true \
  --min-tls-version TLS1_2

# Get storage account ID
STORAGE_ID=$(az storage account show \
  --resource-group $RESOURCE_GROUP \
  --name $STORAGE_ACCOUNT \
  --query id -o tsv)

# Update diagnostic setting to include storage
az monitor diagnostic-settings subscription create \
  --name "activity-logs-archive" \
  --subscription $SUBSCRIPTION_ID \
  --storage-account $STORAGE_ID \
  --logs '[
    {"category": "Administrative", "enabled": true, "retentionPolicy": {"enabled": true, "days": 730}},
    {"category": "Security", "enabled": true, "retentionPolicy": {"enabled": true, "days": 730}}
  ]'

Step 3: Configure Retention Policies

Proper retention balances compliance requirements with cost optimization.

Log Analytics Workspace Retention

# Set retention to 365 days
az monitor log-analytics workspace update \
  --resource-group $RESOURCE_GROUP \
  --workspace-name $WORKSPACE_NAME \
  --retention-time 365

# Verify retention setting
az monitor log-analytics workspace show \
  --resource-group $RESOURCE_GROUP \
  --workspace-name $WORKSPACE_NAME \
  --query retentionInDays

Table-Level Retention

Configure different retention periods for specific tables:

# Set AzureActivity table retention to 2 years (730 days)
az monitor log-analytics workspace table update \
  --resource-group $RESOURCE_GROUP \
  --workspace-name $WORKSPACE_NAME \
  --name AzureActivity \
  --retention-time 730 \
  --total-retention-time 730

Retention Recommendations by Compliance Framework

FrameworkMinimum RetentionRecommended
PCI DSS1 year1 year
HIPAA6 years7 years
SOX7 years7 years
GDPRAs needed2-3 years
General security90 days1 year

Step 4: Query Activity Logs

Use Kusto Query Language (KQL) to analyze Activity Logs in Log Analytics.

Basic Queries

// View all activity in the last 24 hours
AzureActivity
| where TimeGenerated > ago(24h)
| project TimeGenerated, Caller, OperationName, ResourceGroup, ActivityStatus
| order by TimeGenerated desc

// Find all delete operations
AzureActivity
| where OperationNameValue contains "delete"
| where ActivityStatusValue == "Success"
| project TimeGenerated, Caller, OperationName, Resource, ResourceGroup
| order by TimeGenerated desc

// Identify failed operations
AzureActivity
| where ActivityStatusValue == "Failed"
| summarize FailureCount = count() by OperationName, Caller
| order by FailureCount desc

Security-Focused Queries

// Detect role assignment changes
AzureActivity
| where OperationNameValue =~ "Microsoft.Authorization/roleAssignments/write"
| project TimeGenerated, Caller, Properties, ResourceGroup

// Monitor network security group changes
AzureActivity
| where ResourceProviderValue == "Microsoft.Network"
| where OperationNameValue contains "securityRules"
| project TimeGenerated, Caller, OperationName, Resource

// Track policy violations
AzureActivity
| where CategoryValue == "Policy"
| where ActivityStatusValue == "Failed"
| project TimeGenerated, OperationName, Resource, Properties

Step 5: Create Alerts on Activity Logs

Configure alerts for critical operations:

Create Alert via Azure Portal

  1. Navigate to Monitor > Alerts
  2. Click + Create > Alert rule
  3. Configure the alert:
    • Scope: Select your subscription
    • Condition: Select Activity Log signal
    • Signal name: Choose operation (e.g., "Delete Security Rule")
    • Alert logic: Status = Succeeded
  4. Configure Actions:
    • Create or select an action group
    • Add email, SMS, or webhook notifications
  5. Configure Details:
    • Alert rule name: "Critical Security Rule Deletion"
    • Severity: 1 - Error
  6. Click Create alert rule

Create Alert via Azure CLI

# Create action group for notifications
az monitor action-group create \
  --resource-group $RESOURCE_GROUP \
  --name "security-alerts-ag" \
  --short-name "SecAlerts" \
  --email-receiver name="security-team" email-address="[email protected]"

# Create activity log alert for NSG changes
az monitor activity-log alert create \
  --resource-group $RESOURCE_GROUP \
  --name "nsg-rule-change-alert" \
  --description "Alert on NSG rule modifications" \
  --scope "/subscriptions/$SUBSCRIPTION_ID" \
  --condition category=Administrative and operationName=Microsoft.Network/networkSecurityGroups/securityRules/write \
  --action-group security-alerts-ag

Best Practices

  1. Enable all log categories: Capture comprehensive audit data for security analysis
  2. Use multiple destinations: Send to Log Analytics for querying and Storage for long-term archival
  3. Set appropriate retention: Match retention to compliance requirements
  4. Create critical alerts: Monitor for privilege escalation and security-relevant changes
  5. Review logs regularly: Establish a cadence for log review and threat hunting
  6. Protect log storage: Enable immutable storage for compliance-critical logs

Troubleshooting

Logs not appearing in Log Analytics:

  • Allow 5-15 minutes for initial data ingestion
  • Verify diagnostic setting status in Portal
  • Check workspace is in the same or accessible region

High ingestion costs:

  • Review log categories and disable unnecessary ones
  • Implement table-level retention policies
  • Use Basic Logs tier for less frequently accessed data

Missing specific log categories:

  • Ensure all required categories are enabled in diagnostic settings
  • Some categories require specific Azure features to be active

Next Steps

After configuring Activity Log monitoring, consider these enhancements:

  • Enable Microsoft Sentinel for advanced threat detection
  • Configure Resource Logs for data plane visibility
  • Set up Workbooks for visualization dashboards
  • Review Cloud Security Tips for 2026 for comprehensive cloud security guidance

Frequently Asked Questions

Find answers to common questions

Activity Logs capture subscription-level operations like resource creation, deletion, and configuration changes. They answer "who did what and when" at the management plane. Resource Logs (formerly Diagnostic Logs) capture data plane operations within resources, such as SQL query execution or storage blob access. Both are essential for comprehensive monitoring but serve different purposes.

Azure Infrastructure Experts

Comprehensive Azure management including architecture, migration, security, and 24/7 operations.

Learn About Cloud Infrastructure ManagementExplore Cloud Migration

Related Articles

Microsoft Defender for Cloud CIS Benchmark Compliance Guide

Complete guide to implementing CIS Azure Foundations Benchmark compliance with Microsoft Defender for Cloud, including compliance dashboard, controls, remediation, and Secure Score.

Read More →

Microsoft Defender Vulnerability Assessment Guide

Complete guide to continuous vulnerability scanning with Microsoft Defender for Cloud, including scanner setup, recommendations, remediation, and Secure Score optimization.

Read More →

Azure Global Administrator Best Practices: Securing Privileged Accounts

Learn how to secure Azure Global Administrator accounts with emergency access, Privileged Identity Management (PIM), MFA enforcement, and least-privilege principles for enterprise security.

Read More →
Back to Microsoft Azure