ARM, Activity Log & Track Changes Demo
Start course
1h 21m

Microsoft Azure is a robust, feature-rich cloud platform used by a growing number of technology companies. With its vast array of services, a key challenge to administering an Azure environment is security. How can we ensure that our Azure infrastructure meets strict security standards? This course offers the answer.

In three concise units, the student will learn all about compliance and cloud security. The course delves into several key Azure components, including Azure DevOps, Azure Security Center, Desired State Configuration, and Azure Pipelines. After completing the lessons and watching the video demonstrations, the student will be equipped with the knowledge to automate critical security tasks to ensure a thoroughly hardened cloud architecture.

This skill set will serve infrastructure developers working with live environments or seeking to pass certification exams. Most importantly, it will help students understand cloud security in a comprehensive and thorough way.

For feedback, queries, or suggestions relating to this course, please contact us at

Learning Objectives

  • Scan infrastructure using Azure tools to prevent drift leading to compliance violations
  • Automate configuration using Azure Automation and Desired State Configuration
  • Create secure and compliant software pipelines in Azure

Intended Audience

This course is intended for:

  • Those looking to learn more about the security and compliance features in Azure
  • People studying for Microsoft's AZ-400 exam


To get the most from this course, you should already have a basic understanding of Microsoft Azure as well as some knowledge of programming and cloud infrastructure. 


Greetings, welcome to the second demo for our course on Azure security and compliance. This demo will be pretty short, we're just going to review the "three lines of defense" for detecting drift in an Azure cloud environment. We'll be showing off the Azure Resource Manager portal, the activity log, and how to enable the track changes feature. So let's dive right in.

First of all, we'll start off in our portal, and we'll go to the Resource Groups section. Now, in our test account here we only have a few small groups, in two geographic regions here, US east one and two. To see our config, we'll just click on our group that's interesting to us. So for us let's try "TestGroup1." And right away we can get a lay of the land, we can see in the menu that there is an overview here which is where we start. We have a number of additional things like access control, and the activity log up here, which we'll come back to. As we mentioned in the lesson one of this section, one of the key things in the Resource Manager, in ARM is the concept of deployment templates.

So let's take a quick look at that. We can just click on "deployments" actually. Then select the one that we care about, it will take a second to load. Okay, so once those are loaded, we can see our deployments. And we can select any of the ones we care about. There's not a lot of deployments here 'cause we've just done a few basic VM's, but if we click on any one at random, we can see, for example, this one, creation of a server. And if we go into this server creation, cool thing is we can actually click on the template and we get this big JSON file that describes everything about the deployment, about the resource. So this is human readable and parseable, which is pretty cool. So it's very easy to manage this kind of thing in version control if you wanted to. They have an infrastructure's code paradigm. In the web portal, we get nice time stamps and status reports on every deployment, and we can check the parameters as well, and scripts. Really it's a great first source of truth for identifying drift. So we'll go back to our resource group.

And now, we're gonna take a look at the activity log. Now, the activity log we can also get from the Resource Group menu. The log will just give us information about Azure environment events detectable by the API. So this is an important thing to note. If you SSH to a server and edit a file or do some other more surgical operation, it won't necessarily be reflected here unless you have detailed change tracking enabled which we will talk about. But keep that in mind.

The activity log is for things recognizable by the Azure API. And it's still very easy as a high level source of truth to parse when it comes to resources. So we can see a few events here. One of the nice things is that we can change the timeframe, this is really only the last six hours. So we can change it to the last week, and we can see how much broader range of options here, of output, right? And we can also add additional filters here aside from time span. So, this is another really easy way to catch drift, by going through and parsing this log. Okay, so now the last thing we're gonna do is we're going to show off the track changes feature. And this is not difficult to do but there are a few prerequisites.

Now, first of all, one thing you need is you have to enable an Azure Automation account, which is not enabled by default. So, you just go to that item in your portal, and you'll have to enable it, you have to select it. And you can enable it even with a free tier account. If that is done, if you have an Azure Automation account, here you see there's two. Then, all you need is a Log Analytics work space. To define that, you can see the item here in Azure services or you can search for it. You can literally just type Azure log analytics, or just log analytics and it'll just pop up, if you can't find it. And then you need to define a workspace, and when you create new, you'll have to give it a name and a location. Now, the location is actually really important. One note here is that the regions do not have a one to one mapping, the Log Analytics workspace and your Automation account. So for example, if your Log Analytics account is in US region east one, US east one, you'll actually need an Azure Automation account in east two. So, that mapping is a little bit annoying, we'll give you a link to the documentation to see those mappings.

But anyway, as far as enabling it, you go into your Automation account, this is one basic account. This account does not have change tracking enabled, but to actually enable it, basically we just go in to our Automation account, and we click on the change tracking here, and we will pick the workspace we care about.

The Automation account has a lot of different features. I'm gonna actually go to an account that has it enabled. I could actually do a whole lesson on just Azure Automation account because honestly as a DevOps guy it's really a dream tool set, all of the stuff they have here. But this is a security-focused class so we'll focus in on that. Once you have change tracking here enabled, you'll see here that you have a few different options here.

So, we have options for files, for daemons, for events, registry, software window services. There's no changes in this account because it's a pretty empty account, but the cool thing is you can do diffs by clicking on individual things here. And I think from here it's fairly intuitive, but this is our final point for this demo. That about does it. Resource Manager, activity log, and change tracking. Three ways to preempt and stop drift in your environment. All pretty easy to see in the web, and easy to work with at the API level. So, hopefully this is helpful. Cheers.


Useful Links


Course Introduction - Compliance & Security Scanning - Security Center Demo - Preventing Drift - Desired State Configuration (DSC) - Azure Desired State Configuration Demo - Azure Automation State Configuration - VM Agents & Extensions - VM Agents & Extensions Demo - Security & Compliance Pipelines - Azure Pipelines & Gates Demo - Course Summary

About the Author

Jonathan Bethune is a senior technical consultant working with several companies including TopTal, BCG, and Instaclustr. He is an experienced devops specialist, data engineer, and software developer. Jonathan has spent years mastering the art of system automation with a variety of different cloud providers and tools. Before he became an engineer, Jonathan was a musician and teacher in New York City. Jonathan is based in Tokyo where he continues to work in technology and write for various publications in his free time.