# Activity log

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/activity-log

## Quick definition

An activity log is a monitoring tool in Azure that keeps track of every change made to your cloud resources. It records actions like creating a virtual machine, deleting a storage account, or assigning permissions. This log helps you see who made the change, what time it happened, and whether it was successful. It is essential for security audits, compliance checks, and troubleshooting issues in your Azure environment.

## Simple meaning

Imagine you live in a shared apartment with three roommates. You want to know who comes in and out, what they do, and when they do it. So you set up a small notebook by the front door. Every time someone enters or leaves, they write down their name, the time, and what they did, "Alex, 3:15 PM, took out the garbage" or "Jamie, 8:07 PM, locked the door." That notebook is your activity log. In the IT world, especially with Azure cloud services, an activity log works the same way. It is a central notebook that records every significant action taken on your cloud resources. When an administrator creates a new virtual machine, the log notes who did it and when. When someone deletes a backup file, the log captures that too. This is incredibly useful because in a busy IT environment, dozens of people might have access to your cloud resources. If something breaks, say a website goes down, you can check the activity log to see whether someone accidentally changed a configuration setting. If a security breach happens, you can trace back who accessed sensitive data. The activity log does not record the data itself, only the actions taken on the resources. So it is more like a log of who turned the knob rather than what they saw inside the safe. This makes it a critical tool for accountability, troubleshooting, and staying compliant with rules like GDPR or HIPAA. Without an activity log, tracking down problems in a large cloud environment would be like trying to find out who left the milk out in that apartment without any notebook, you’d just have to guess.

## Technical definition

An Azure Activity Log is a platform-level log in Microsoft Azure that provides insight into subscription-level events. It records all control-plane operations on Azure Resource Manager (ARM) resources, including create, read, update, and delete (CRUD) operations, as well as service health events, administrative alerts, and policy events. The Activity Log is a built-in feature of every Azure subscription and is retained by default for 90 days. It is not a diagnostic log for the internal operations of a resource (like application logs inside a virtual machine) but rather a log of actions performed on the Azure platform itself.

The Activity Log captures several categories of events: Administrative events (such as resource creation or deletion), Service Health events (like a regional outage affecting your resources), Alert events (triggered by Azure Monitor alerts), Autoscale events (when scaling actions are taken), and Security events (such as Azure Security Center findings and Azure Policy evaluations). Each event in the Activity Log contains a rich set of properties: the caller identity (user principal name, object ID, or service principal), the timestamp, the operation name (e.g., "Microsoft.Compute/virtualMachines/write"), the resource ID, the HTTP method and status code, the request body (if available), and the correlation ID, which is used to link related events across different logs.

From a technical implementation perspective, the Activity Log relies on Azure Resource Manager as the central control plane. Every time an API call is made to ARM to manage a resource, ARM logs the request and its outcome. The log data is then stored in Azure Monitor’s internal data store, which is highly available and scalable. You can access the Activity Log through the Azure portal (under Monitor → Activity Log), via the Azure CLI with the command "az monitor activity-log list", through PowerShell with Get-AzLog, or programmatically using the Azure Monitor REST API. The log can be filtered by time range, severity, event category, resource group, resource type, and operation name.

For long-term retention and advanced querying, you can export the Activity Log to a Log Analytics workspace (which allows Kusto Query Language (KQL) queries), to Azure Event Hubs (for streaming to third-party SIEM tools like Splunk or Sumo Logic), or to Azure Storage (for archiving). Using Azure Policy, you can enforce the export of Activity Logs to a Log Analytics workspace to ensure compliance. The Activity Log is also central to Azure Role-Based Access Control (RBAC) auditing, as every RBAC assignment or change is recorded. This makes it an indispensable tool for security auditing, compliance reporting, and operational troubleshooting in Azure environments.

## Real-life example

Think of a large public library. There are many librarians, volunteers, and staff members who can manage the books, rooms, and systems. One day, a rare book goes missing. The head librarian needs to find out who last handled it, who moved it, and whether it was checked out legitimately. Without a record, it would be impossible to solve the mystery. So imagine that every time anyone takes a book off the shelf, adds a new book, or changes the location of a special collection, they must scan a barcode on the book and write down their employee ID on a shared clipboard. That clipboard is the library’s activity log. In the same way, when you work with Azure cloud resources, your Activity Log records every action taken on your resources, like creating a virtual machine, deleting a storage bucket, or changing a firewall rule. If your company’s website goes down, you can check the Activity Log to see if someone accidentally deleted the web server or changed its configuration. It gives you the person’s identity, the exact time, and the status of the operation. It does not record the contents of the books, just the actions about the books. That parallels how Azure’s Activity Log captures management events, not the data inside your databases or virtual machines. So if you ever need to investigate a change or prove compliance, the Activity Log is your trusted clipboard, tracking every move made in your cloud library.

## Why it matters

In any IT environment, knowing what changed and who changed it is critical for maintaining security, stability, and compliance. The Azure Activity Log is the primary source of truth for all management-plane operations in a subscription. Without it, you would be blind to unauthorized changes, accidental deletions, or misconfigurations that can cause downtime. For IT professionals managing Azure resources, the Activity Log is the first place to look when diagnosing an issue. For example, if a production virtual machine suddenly stops responding, you can check the Activity Log to see whether an administrator stopped it, whether a policy denied an update, or whether a service health event caused an outage. This saves hours of guesswork.

For security teams, the Activity Log is essential for audit trails. Compliance frameworks like SOC 2, ISO 27001, and HIPAA require evidence of monitoring and logging. The Activity Log provides a tamper-evident log of who accessed which resources and when. By exporting the log to a Log Analytics workspace or to an external SIEM, you can set up alerts for suspicious activities, such as a user creating a new virtual machine in an unusual region or a policy violation. This proactive monitoring helps prevent and detect security incidents early.

From a governance perspective, the Activity Log enables Azure Policy enforcement and RBAC auditing. If a user gains unintended permissions, the Activity Log will show the exact time of the role assignment change and who performed it. This allows you to quickly revert the change and investigate further. The Activity Log matters because it turns your cloud environment from a black box into a transparent, accountable system. It gives you the visibility needed to run a secure, compliant, and reliable infrastructure.

## Why it matters in exams

For the AZ-104 Microsoft Azure Administrator exam, the Activity Log is a fundamental topic covered under the "Monitor and maintain Azure resources" section. Specifically, the exam objective "Monitor resources in Azure" includes configuring and interpreting the Activity Log. You can expect questions that test your knowledge of how to access the Activity Log, filter events, retain logs, and export them to other destinations. The exam also focuses on the distinction between the Activity Log and diagnostic logs (also called resource logs). Knowing that the Activity Log covers management-plane events, while diagnostic logs cover data-plane events inside a resource (like IIS logs on a VM or SQL query logs), is a common point of distinction tested on the exam.

Question types often include scenario-based questions where you need to decide where to look for a specific issue. For example: "A user reports that a virtual machine was deleted yesterday. How can the administrator find out who deleted it and when?" The correct answer will direct you to the Activity Log, filtered by the time range and the delete operation. You may also be asked about retention: the default retention period is 90 days, but you can export to a Log Analytics workspace for longer retention. Another common topic is the difference between Azure Monitor, Activity Logs, and the diagnostic settings. You may need to configure a diagnostic setting to stream the Activity Log to a Log Analytics workspace or to an Event Hub. The exam may present a scenario where a company wants to centralize logs from multiple subscriptions; you would need to configure a diagnostic setting to send the Activity Log to a Log Analytics workspace in a central logging subscription.

exam questions may test your understanding of how to use the Activity Log for auditing RBAC changes. If an administrator accidentally assigns the Contributor role to a user, the Activity Log will show that event. You might be asked how to set up an alert on a specific Activity Log event. This ties into Azure Monitor alerts, where you can create an alert rule that triggers when a particular operation is logged, such as "Create or Update Virtual Machine" or "Delete Storage Account." Understanding these integrations is critical for the exam. Finally, be prepared to see questions that differentiate between the Activity Log and Azure Resource Health. Service Health events appear in the Activity Log, but Resource Health is a separate view focused on ongoing service issues. The Activity Log appears across multiple exam objectives, so mastery of its capabilities and limitations is essential for passing the AZ-104.

## How it appears in exam questions

Activity Log questions on the AZ-104 are usually integrated into broader scenario-based problems. One typical pattern is the "who deleted the resource" scenario. The question says: "You administer an Azure subscription. Several team members have Contributor access to a resource group. A user reports that a critical storage account was deleted two days ago. How can you determine who deleted it?" The answer choices will include checking the Activity Log, checking diagnostic settings on the storage account, reviewing audit logs in Azure AD, or checking Azure Resource Health. The correct answer is to use the Activity Log filtered by the deletion operation and the time range.

Another common question type involves export and retention. For example: "Your company needs to retain Azure Activity Logs for seven years to meet compliance requirements. What should you do?" The correct answer typically involves exporting the Activity Log to a Log Analytics workspace (which offers long-term retention) or to an Azure Storage account with immutable storage. Some questions may ask about streaming logs to a third-party SIEM; in that case, you would use an Event Hub export.

Configuration questions appear as well: "You need to receive an email whenever a virtual machine is created in your subscription. How should you configure this?" The answer is to create an alert in Azure Monitor with a signal type of Activity Log, selecting the operation "Create or Update Virtual Machine" and setting the action group to send an email. Questions may also test your ability to filter logs. For instance: "You want to view all administrative events related to a specific resource group in the last 24 hours. Which filter would you apply?" The answer would be to filter by resource group, time range, and event category (Administrative).

the exam sometimes presents a comparison question: "Your application is experiencing errors. You suspect it is due to a recent configuration change. Which log should you examine first?" The correct answer is the Activity Log because it captures management-plane changes. Diagnostic logs would only help if the application itself is logging errors internally. Understanding when to use the Activity Log versus diagnostic logs versus Azure Monitor metrics is a key skill tested on the AZ-104.

## Example scenario

Imagine you are the Azure administrator for a small e-commerce company. Your team has five people with Contributor permissions on the production subscription. One Monday morning, you notice that the company’s main web application is not loading. Users are seeing a "404 Not Found" error. You need to find out what happened over the weekend. You open the Azure portal and navigate to Monitor → Activity Log. You set the time range to the past 48 hours and filter by the resource group that contains the web app. You immediately see an event from Sunday at 2:15 AM: "Delete Storage Account" performed by a user named "jane.doe@company.com". You click on the event and see the full details: the operation was successful, the resource ID points to the storage account that hosted the static content for the website. Jane, a new intern, meant to delete an old test storage account but mistakenly deleted the production asset. Armed with this information, you restore the storage account from a soft-delete snapshot and then have a conversation with Jane about double-checking resource IDs before deleting. In this scenario, the Activity Log saved hours of investigation and prevented further downtime. Without it, you might have spent time checking the web server logs or restarting services, never suspecting a storage account deletion. This simple example shows how the Activity Log is the first place to look when something goes wrong in Azure.

## Common mistakes

- **Mistake:** Confusing Activity Log with diagnostic logs (resource logs).
  - Why it is wrong: The Activity Log captures management-plane events like resource creation or deletion, while diagnostic logs capture data-plane events inside a resource, such as application logs, IIS logs, or system logs. Using the Activity Log to troubleshoot an application-level error is ineffective.
  - Fix: Remember: Activity Log = platform-level (who created this VM?). Diagnostic log = resource-level (what is happening inside this VM?).
- **Mistake:** Thinking the Activity Log retains data indefinitely by default.
  - Why it is wrong: The default retention for the Activity Log is only 90 days. Many administrators assume it lasts longer and lose critical audit data for compliance. You must configure export to a Log Analytics workspace or storage account for longer retention.
  - Fix: Plan for long-term retention. If you need logs for more than 90 days, set up a diagnostic setting to send Activity Log to a Log Analytics workspace or Azure Storage with the appropriate retention policy.
- **Mistake:** Assuming all actions on a resource appear in the Activity Log.
  - Why it is wrong: The Activity Log only captures control-plane (management) actions. Operations that happen entirely within a resource, like a user logging into a VM via RDP or an application writing to a database, are not recorded in the Activity Log. Those require diagnostic logs or Azure AD sign-in logs.
  - Fix: For full visibility, combine Activity Log with diagnostic logs for the specific resource, and Azure AD logs for user sign-in events.
- **Mistake:** Not filtering the Activity Log properly and getting overwhelmed.
  - Why it is wrong: In a busy subscription, the Activity Log can contain thousands of events per day. Without filtering by time range, resource group, or operation type, you will waste time scrolling through irrelevant entries.
  - Fix: Always start with a specific time range and use filters like resource group, event category, or operation name. Use the "Add filter" button to narrow down quickly.
- **Mistake:** Believing that the Activity Log shows the content of data operations.
  - Why it is wrong: The Activity Log records the fact that a data operation happened (like "List Keys" on a storage account), but it does not log the actual data or keys. Some administrators mistakenly think they can see what data was accessed or modified.
  - Fix: Understand that the Activity Log is for governance and auditing of actions, not for data content monitoring. For data-level auditing, use features like Azure Storage analytics logs or SQL Auditing.

## Exam trap

{"trap":"You are asked to find out why a virtual machine performance is slow. The question offers checking the Activity Log as one answer. Learners pick the Activity Log because they know it logs VM events.","why_learners_choose_it":"The Activity Log does log VM creation, deletion, and configuration changes, so learners assume it also logs performance metrics. They may not realize that performance data comes from metrics (like CPU and memory) in Azure Monitor, not from the Activity Log.","how_to_avoid_it":"Remember that the Activity Log records control-plane events (management actions), not performance or diagnostic data. For performance issues, you need Azure Monitor metrics or diagnostic logs. The Activity Log would only be relevant if a configuration change preceded the performance drop. In that case, you would check the Activity Log for a recent change, then use metrics to confirm the impact."}

## Commonly confused with

- **Activity log vs Diagnostic Logs (Resource Logs):** Diagnostic logs are generated by the resource itself (like IIS logs on a VM or SQL query logs) and contain data about the resource's internal operations. Activity Logs, on the other hand, record actions performed on the resource from outside, such as creating, deleting, or modifying the resource. They are complementary but serve different purposes. (Example: If you want to see who deleted a storage account, use the Activity Log. If you want to see which files were accessed inside that storage account, you need the storage account's diagnostic logs.)
- **Activity log vs Azure AD Sign-in Logs:** Azure AD sign-in logs track user authentication events, like when a user logs into the Azure portal or an application. Activity Logs track resource management events. A user might sign in successfully (Azure AD log) but then attempt a resource operation that fails (Activity Log). The two logs together give a complete audit trail. (Example: To see if a specific user tried to access the Azure portal but was denied, check Azure AD sign-in logs. To see if that same user successfully created a virtual machine after signing in, check the Activity Log.)
- **Activity log vs Azure Resource Health:** Resource Health provides information about the current health of your Azure resources and any ongoing issues from the Azure platform. It tells you if your resource is down due to an Azure outage. The Activity Log records historical actions on the resource. They serve different needs: Activity Log for historical audit, Resource Health for current status. (Example: If a VM is unresponsive and you suspect an Azure platform issue, check Resource Health. If you want to see if someone stopped the VM last night, check the Activity Log.)
- **Activity log vs Azure Monitor Metrics:** Azure Monitor Metrics are numerical data points collected over time, such as CPU percentage, disk IO, or network throughput. They are used for performance monitoring and alerts. The Activity Log is text-based and event-driven, not numerical. Metrics show the 'how well', Activity Log shows the 'who did what'. (Example: Use metrics to set an alert when CPU goes above 90%. Use the Activity Log to find out who changed the VM size that caused the CPU spike.)

## Step-by-step breakdown

1. **Triggering Event** — An event occurs when a user, application, or automated process makes an API call to Azure Resource Manager. This could be creating a VM, deleting a storage account, assigning a role, or triggering a policy evaluation.
2. **Log Capture by ARM** — Azure Resource Manager intercepts the API call, authenticates the caller, authorizes the action, and then records the operation details. It captures the caller identity, operation name, resource ID, timestamp, and HTTP status code.
3. **Categorization** — The event is categorized into one of several types: Administrative, Service Health, Alert, Autoscale, or Security. This helps with filtering and analysis later. Most events are Administrative.
4. **Storage in Azure Monitor** — The log entry is written to the Azure Monitor data store specific to the subscription. It is automatically retained for 90 days. The data is stored in a highly available manner and is indexed for fast querying.
5. **User Access and Filtering** — An administrator accesses the Activity Log via the Azure portal, Azure CLI, PowerShell, or the REST API. They apply filters like time range, resource group, event category, or operation name to narrow down the results.
6. **Export for Long-Term Use** — If longer retention or advanced analysis is needed, a diagnostic setting is configured to export the Activity Log to a Log Analytics workspace (for KQL queries), an Azure Storage account (for archival), or an Event Hub (for streaming to a SIEM).
7. **Alerting and Integration** — Administrators can create Azure Monitor alert rules based on Activity Log events. For example, an alert can be set to fire whenever a VM is deleted. The alert can trigger an email, SMS, webhook, or run an automation runbook.

## Practical mini-lesson

In a real production environment, you should treat the Activity Log as your primary forensic tool. When something goes wrong, the first step is to check the Activity Log for any recent changes. For instance, if a web application goes down, open the Azure portal, go to Monitor, click on Activity Log, set the time range to the last 24 hours, and filter by the resource group or resource type. Look for operations like "Delete", "Update", or "Write" that could have caused the issue. Pay attention to the caller field, it tells you which user or service principal performed the action. The status field indicates whether the operation succeeded or failed. A failed operation might indicate a policy denial, which you can investigate further in Azure Policy.

When planning for compliance, you must configure diagnostic settings to export the Activity Log. For example, in a multi-subscription environment, you can send all Activity Logs to a central Log Analytics workspace. This allows you to run cross-subscription queries and set up global alerts. You can also enable Azure Policy to enforce this export for all new subscriptions. A common mistake is to only export logs after an incident. By then, you may have lost critical data if the 90-day retention window has passed.

Another practical use is for cost management. You can create an alert when a new expensive resource (like a large VM or a premium storage account) is created. This helps you catch forgotten resources that could run up costs. Similarly, you can use the Activity Log to track deallocations of VMs to ensure they are not being stopped out of hours, which can help reduce compute costs.

What can go wrong with the Activity Log? First, it has a default retention of 90 days. If you do not export it, older logs are permanently deleted. Second, the Activity Log is subscription-scoped, so you cannot view logs from another subscription unless you have appropriate permissions and the logs are centralized. Third, performance of the Activity Log view can be slow if you don't filter properly, always narrow down the time range and use filters. Finally, be aware that some operations, like Azure Policy evaluation, generate many events that can clutter the log. You can filter these out by selecting only the event categories you need.

For professional use, get comfortable with the Azure CLI command: "az monitor activity-log list --resource-group RG1 --start-time 2025-03-01 --end-time 2025-03-02 --output table". This is faster than the portal for repetitive queries. Also, learn how to use KQL in Log Analytics to query exported Activity Logs, as that allows you to correlate data with other logs. For example, you can join Activity Log events with Azure AD sign-in logs to get a full picture of who did what.

## Memory tip

Activity Log = "Who touched the resource, and when." Think of it as the front-door security camera for your Azure resources, it records everyone who enters or changes anything, but not what they do inside.

## FAQ

**How long are Activity Logs retained by default?**

By default, Azure retains Activity Logs for 90 days. After that, they are automatically deleted. You can extend retention by exporting the logs to a Log Analytics workspace, Azure Storage, or Event Hub.

**Can I see what data was accessed in a storage account using the Activity Log?**

No. The Activity Log records management actions, not data access. To see read and write operations on blobs or files, you need to enable storage analytics logging or use Azure Storage logs.

**Is the Activity Log available for every Azure subscription?**

Yes, the Activity Log is automatically enabled for every Azure subscription. You do not need to configure it. However, you do need to configure diagnostic settings to export it for long-term retention or advanced querying.

**Can I set up alerts based on Activity Log events?**

Yes. You can create an Azure Monitor alert rule that triggers when a specific operation occurs in the Activity Log, such as creating a VM or deleting a resource. You can configure the alert to send an email, SMS, or trigger an automation runbook.

**How do I find out who stopped a virtual machine?**

Go to the Activity Log in the Azure portal, filter by the resource group containing the VM, set the time range, and look for the operation "Deallocate Virtual Machine" or "Power Off Virtual Machine." The caller field will show the identity of the user or service that performed the action.

**Does the Activity Log show operations from all regions?**

Yes, the Activity Log is subscription-wide, so it shows events from all regions where you have resources. You can filter by location if needed.

**Can I delete Activity Log events?**

No. Activity Log events are immutable and cannot be deleted by users. This is intentional to preserve audit integrity. The data is automatically purged after 90 days unless exported elsewhere.

## Summary

The Azure Activity Log is a critical monitoring tool that records every management operation performed on resources within an Azure subscription. It captures who performed the action, what the action was, when it happened, and the result. This log is automatically enabled for all subscriptions and retained for 90 days by default. Understanding the Activity Log is essential for Azure administrators, as it serves as the primary source for auditing changes, troubleshooting issues, and ensuring compliance. The log is part of Azure Monitor and can be accessed through the portal, CLI, PowerShell, or API. For long-term retention and advanced analysis, you must configure diagnostic settings to export the log to a Log Analytics workspace, Azure Storage, or Event Hub.

For the AZ-104 exam, you will need to know the differences between the Activity Log and other logs, such as diagnostic logs and Azure AD sign-in logs. You will encounter scenario-based questions where you must identify the correct log to use for a specific investigation. Common traps include confusing the Activity Log with performance metrics or diagnostic logs. Mastering the filters, retention options, and alerting capabilities of the Activity Log will help you answer exam questions confidently and apply this knowledge in real-world administration. The key takeaway is that the Activity Log is your go-to tool for answering the question, "Who changed what in my Azure environment?"

---

Practice questions and the full interactive page: https://courseiva.com/glossary/activity-log
