Is it possible to review the changes to ACL? Where should I search for logs?

Question

I see that somebody gave "Tom" the ACL access to a storage account. I would like to check who gave Tom the access and when it happened.

The access was probably provided via the Azure portal or Azure Storage Explorer.

I've tried opening the activity log blade in the storage account. I've downloaded the logs for the last days. However the list seems to include RBAC changes (it's labelled "Create role assignment"), but not ACL changes. Some ACL changes that I myself know I undertook in the last days don't appear there.

My role is Resource Group admin and Resource Group User. There are custom roles at my company, but I think they correspond to the standard roles to a high degree.

Answer 1

• You can review the Set Container ACL operation logs by enabling the diagnostics settings on the storage account (sending those logs to Log analytics workspace and using kQL you can query those logs).

• If you enable Default Azure Active directory authorization on the storage account, you will be able to see the UserObjectID in RequesterObjectId column as shown below.

You can refer to this documentation, for the list of RBAC roles who can access and modify the ACL on storage account if the Azure AD Auth is enabled on the account.