Share via

From Azure activity log can we get know whether that particular operation is done from portal or other method like powershell, cli etc.

Shubham Prajapati 40 Reputation points
2025-11-27T12:28:26.0866667+00:00

From Azure activity log can we get know whether that particular operation is done from portal or other method like PowerShell, cli etc. or do we have any other option from there we can get the information.

Azure Cloud Services
Azure Cloud Services
An Azure platform as a service offer that is used to deploy web and cloud applications.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shraddha Pandey 375 Reputation points Microsoft External Staff Moderator
    2025-11-27T14:45:38.01+00:00

    Hi Shubham Prajapati,

    Azure activity logs show what actions occurred in your Azure account, including details about who performed them and when. However, they don’t specify whether the action was taken via the Azure web portal, PowerShell, CLI, or another tool. To determine that, you typically need additional tracking or logs beyond the standard activity log.

    The Azure activity log captures administrative operations on resources, including who called the operation, operation name, timestamps, and status.

    Here are some steps you can follow:

    Enable export of Activity Log to Log Analytics

    1. In Azure portal, go to: Monitor → Activity log.​
    2. Click “Export Activity Logs” or “Diagnostic settings”.​
    3. Add a diagnostic setting:
    • Choose your subscription.
    • Select destination: “Send to Log Analytics workspace"
    • Select all Activity Log categories.
    • Save the setting.

    Use Entra ID (Azure AD) Sign-in Logs

    1. Go to Microsoft Entra ID → Monitoring → Diagnostic settings.​
    2. Create/edit a diagnostic setting to send Sign‑in logs (and Audit logs if needed) to the same Log Analytics workspace used above.​
    3. Save and wait a few minutes for data to flow.

    Check user agent in Activity Log

    1. In Azure portal → Monitor → Activity log, open the specific event.
    2. View JSON or “Properties” and look for httpRequest.userAgent
    3. If present:
      • “az cli” in the string suggests Azure CLI.
      • Browser‑type strings (Mozilla/Chrome/Edge) usually suggest Portal.

    Documents:

    Activity log in Azure Monitor

    Azure Activity Log event schema

    Get started with log queries in Azure Monitor Logs

    Microsoft Entra activity logs schema

    Configure Azure activity log export

    Diagnostic settings in Azure Monitor

    I hope the above helps. Please let us know if you have any further questions on this.

    Thank You!

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.