Azure Activity Logs for Management Group and Subscription creation/deletion do not match the expected schema
I have a diagnostic setting set up for my root management group:
{
"id": "providers/Microsoft.Management/managementGroups/MY-ROOT-MANAGEMENT-GROUP-ID/providers/microsoft.insights/diagnosticSettings/ManagementSetting",
"type": "Microsoft.Insights/diagnosticSettings",
"name": "ManagementSetting",
"location": "global",
"properties": {
"eventHubAuthorizationRuleId": "/subscriptions/XXXXXX/resourceGroups/XXXXXX/providers/Microsoft.EventHub/namespaces/XXXXXX/authorizationrules/eventHubAuthzRule",
"eventHubName": "XXXXXX",
"logs": [
{
"category": "Administrative",
"enabled": true,
"categoryGroup": null
},
{
"category": "Policy",
"enabled": false,
"categoryGroup": null
}
]
}
},
and using this, I'm able to get activity log events for resource group creation/deletion etc. However, I have two exceptions:
- Creating a Management Group
- Creating a Subscription
In these two cases, I get a very different log format in my event hub. For example if I create a subscription:
{
"tenantId": "XXXXXX",
"correlationId": "32ea4f85-0ad1-40c3-aef5-93b746135f7c",
"time": "2024-09-30T17:24:16.3227927Z",
"resourceId": "/subscriptions/ec1c689a-ccdd-49f3-8d1c-9a573317e46a",
"category": "Administrative",
"operationName": "Microsoft.Management",
"resultType": "Succeeded",
"properties": {
"entity": "ec1c689a-ccdd-49f3-8d1c-9a573317e46a",
"message": "Entity ec1c689a-ccdd-49f3-8d1c-9a573317e46a is created with parent entity EventsManagementGroup",
"hierarchy": "XXXXXX/EventsManagementGroup/XXXXXX"
}
},
Notice how the operationName is Microsoft.Management
.
What is interesting is if I open my Activity Log and select the parent management group in the management group dropdown, I get this specific format of log. However, if I select the subscription (ec1c689a-ccdd-49f3-8d1c-9a573317e46a), I can see the expected log format:
{
"authorization": {},
"caller": "tester@XXXXX.com",
"channels": "Operation",
"claims": {
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn": "tester@test.com"
},
"correlationId": "\"CorrelationId\":\"a6003b48-68ea-4036-8f83-6ba533c6de04\"",
"description": "",
"eventDataId": "346b234d-ee23-896e-5c31-5ddd51d96c8e",
"eventName": {
"value": "",
"localizedValue": ""
},
"category": {
"value": "Security",
"localizedValue": "Security"
},
"eventTimestamp": "2024-09-30T17:23:49.916568Z",
"id": "/SUBSCRIPTIONS/EC1C689A-CCDD-49F3-8D1C-9A573317E46A/events/346b234d-ee23-896e-5c31-5ddd51d96c8e/ticks/638633138299165680",
"level": "Informational",
"operationId": "",
"operationName": {
"value": "Microsoft.Subscription/Subscriptions/write",
"localizedValue": "Create subscription"
},
"resourceGroupName": "",
"resourceProviderName": {
"value": "",
"localizedValue": ""
},
"resourceType": {
"value": "",
"localizedValue": ""
},
"resourceId": "/SUBSCRIPTIONS/EC1C689A-CCDD-49F3-8D1C-9A573317E46A",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "",
"localizedValue": ""
},
"submissionTimestamp": "2024-09-30T17:23:49.916568Z",
"subscriptionId": "EC1C689A-CCDD-49F3-8D1C-9A573317E46A",
"tenantId": "",
"relatedEvents": []
}
You can see this has the correct operationName, Microsoft.Subscription/Subscriptions/write
, and the expected data. I just don't understand why I can never see the second log format in my event hub, only the first. They are both Azure Activity Logs from the Administrative category. Any insight would be appreciated.