This article is contributed. See the original author and article here.

Introduction


A common ask from enterprise customers is the ability to monitor for the creation of Azure Subscriptions. This is not as easy as you might think so I wanted to walk you through a solution I’ve used to accomplish this. Below we will walk through creating an Azure Logic App that runs on a schedule and inserts the current subscriptions into Log Analytics. Once we have the data in Log Analytics we can either visualize new subscriptions or alert on them. 


 


Step 1: Create a Service Principal 


Our Logic App will utilize a Service Principal to query for the existing subscriptions. For this solution to work as intended you need to create a new Service Principal and then give them at least “Read” rights at your root Management Group.


 


If you’ve never created a service principal, you can follow this article: 


 


Create an Azure AD app & service principal in the portal – Microsoft identity platform | Microsoft Docs 


 


You’ll need the following information from the service principal: 



  • Application (client) id 

  • Tenant id 

  • Secret 


Once the service principal has been created you need to give it reader rights at the Management Group level.  


 


Open the “Management Group” blade in the Azure portal. From the root Management Group click on the (details) link. 


bwatts670_0-1609185963263.png


 


 Click on “Access Control” | “Add” | “Add role assignment” 


bwatts670_1-1609185963268.png


 


 Grant the Service Principal the “Reader” role. 


bwatts670_2-1609185963273.png


 


 Step 2: Create the Logic App 


In the Logic App blade click on “Add” 


bwatts670_3-1609185963277.png


 


 Fill in the required fields and create the Logic App. 


bwatts670_4-1609185963325.png


 


 In the Logic App Designer choose the “Recurrence” template. 


bwatts670_5-1609185963329.png


 


 Configure the interval that you want to query for subscriptions. I chose to query every hour below. Then click on the “New step” button: 


bwatts670_6-1609185963282.png


 


 Search for “azure resource manager and choose the “List subscriptions (preview)” action. 


bwatts670_7-1609185963332.png


 


 You want to connect with a service principal. 


bwatts670_8-1609185963285.png


 


 Fill in the information for your service principal (the “Connection Name” is just a display name): 


bwatts670_9-1609185963287.png


 


 Note that this action doesn’t require any configuration besides setting up the connection. After configuring the service principal click on “New Step” and search for “Azure Log Analytics.” Choose the “Send Data (preview)” action. 


bwatts670_10-1609185963336.png


 


 Connect to the Log Analytics workspace that you want to send the data to. You can get the workspace id and key within the Log Analytics blade in Azure: 


bwatts670_11-1609185963292.png


 


 Once the connection is made to the Log Analytics Workspace you need to configure the connector: 



  • JSON Request Body: click in the box and then choose “Item” from the dynamic content 


bwatts670_12-1609185963296.png


 



  • Custom Log Name: Name of the log to be created in Log Analytics. Below I chose SubscriptionInventory 


bwatts670_13-1609185963299.png


 


 Note that when you choose “Item” it will put the “Send Data” action into a loop. 


We can go ahead and save the Logic App and optionally run it to test the insertion of data into Log Analytics. 


 


Step 3: Wait 


This Logic App will need to run for a while before the data is useful. You can verify that the Logic App runs every hour and view the raw data in Log Analytics to verify everything is working.  


Below is an example of viewing the table “SubscirptionInventory_CL” in Log Analytics 


bwatts670_14-1609185963301.png


 


Step 4: Setting up Alerts 


We will setup an alert for Subscriptions created in the last 4 hours. 


Below is the Kusto query we can use to find the subscriptions created in the last 4 hours: 


 


SubscriptionInventory_CL 


| summarize arg_min(TimeGenerated, *) by SubscriptionId 


| where TimeGenerated >= ago(4h) 


| project TimeGenerated, displayName_s, state_s, SubscriptionId 


 


The key to this query is using the arg_min to get the first time we see the subscription added to log analytics. When we setup the alert we will look back a couple days and get the first occurrence of the subscription and then if the first occurrence is within the last 4 hours create an alert. 


 


Now we are ready to create the alert within Azure Monitor. Open your Log Analytics Workspace and go to the Logs tab. Run the above query in Log Analytics and then click on “New alert rule” 


 


bwatts670_15-1609185963304.png


 


 **Note: I find this easier than going through Azure Monitor to create the alert because this selects your workspace and puts the correct query in the alert configuration. 


 


You’ll see a red exclamation point next to the condition. Click on the condition to finish configuring the alert. Below are the parts you need to configure highlighted. 


 


bwatts670_16-1609185963339.png


 


 Now you just finish creating the alert. If you’ve never created an Azure Monitor Alert here is documentation to help you finish the process. 


 


Create, view, and manage log alerts Using Azure Monitor – Azure Monitor | Microsoft Docs 


 


**Note: Make sure you let the Logic App run for longer than the period you’re alerting on. In this example I’d need to let my Logic App run for at least 5 hours (4 hours is the alert threshold + 1 hour). The query relies on the history so if I run this before my Logic App has run long enough then it will trigger saying every subscription. 


 


Step 5: Visualizing through Workbooks 


We can utilize a simple Azure Workbook to visualize the data in Log Analytics. The below workbook has the following parameters: 



  • Created Since: set this to show all the subscriptions created since this date 

  • Subscription: Filter down to the subscription that has the Log Analytics Workspace with the data 

  • LA Workspace: Select the Log Analytics workspace that you’re Logic App is putting data into 


**Note: This workbook is assuming that the table name that your using is SubscriptionInventory_CL. If you’re using a different table name then you’ll need to modify the queries in the workbook. 


 


Once you fill in the parameters there will be a simple table showing the day we detected the subscription, the display name, the state and the subscription id. 


 


bwatts670_17-1609185963308.png


 


 Open the Azure Monitor blade and go to the Workbook tab. Click on “New” 


bwatts670_18-1609185963343.png


 


 Click on the “Advanced Editor”  


bwatts670_19-1609185963313.png


 


 Replace the content from the following link: 


https://raw.githubusercontent.com/bwatts64/Downloads/master/New_Subscriptions 


 


Click on Apply: 


bwatts670_20-1609185963316.png


 


You can now verify that you’re able to visualize the data in Log Analytics. Once you’ve verified that click on “Save” to save the newly created workbook. 


bwatts670_21-1609185963319.png


 


Summary 


Monitoring new subscription creating in your Azure Tenant is a common ask by customers. Here we have utilized a Logic App to insert our subscription data into Log Analytics. From there we can both alert and visualize new subscriptions that are created in your environment. 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: