3.8 Azure Activity Log, Diagnostics, and Resource Health
Key Takeaways
- The Activity Log records management-plane (control-plane) operations — who created, changed, or deleted a resource, when, and from where — not data-plane reads/writes inside a resource.
- Activity Log entries are kept 90 days in the portal for free; for longer retention or KQL analysis you export them via diagnostic settings to Log Analytics, Storage, or Event Hubs.
- Diagnostic settings are the pipe that routes platform metrics and resource logs to a Log Analytics workspace, Storage Account, Event Hub, or partner solution.
- Resource Health reports one resource's state as Available, Unavailable, Degraded, or Unknown, and distinguishes platform-caused from customer-caused problems.
- Activity Log (audit trail) + diagnostic settings (data routing) + Azure Monitor alerts (notification) + Resource Health (status) form a complete management story.
Quick Answer: Activity Log = the audit trail of management actions (who created/deleted/changed a resource). Diagnostic settings = the pipe that routes metrics and logs to storage destinations. Resource Health = the live up/down state of one resource. These three are distinct — the exam tests that you do not blur them.
Control plane vs data plane (the key distinction)
Every Azure operation is either management-plane (control-plane) or data-plane, and the Activity Log captures only the first kind.
| Plane | What it does | Captured by |
|---|---|---|
| Management (control) plane | Manages the resource: create a VM, resize a disk, assign an RBAC role, delete a storage account | Activity Log |
| Data plane | Uses the resource: read a blob, run a SQL query, send a queue message | Resource logs / diagnostics, NOT the Activity Log |
Classic trap: "A user downloaded a file from blob storage — where is that recorded?" That is a data-plane event, so it is not in the Activity Log; you find it in the storage account's diagnostic (resource) logs. "A user deleted the storage account" is management-plane and is in the Activity Log.
Azure Activity Log
The Activity Log (formerly the Audit Log) answers four questions about every management operation: who (the caller), what (the operation), which resource, and when. Each entry also carries a status (Started / Succeeded / Failed) and a correlation ID that links related events.
Event categories
| Category | Example |
|---|---|
| Administrative | Create VM, delete storage, assign RBAC role |
| Service Health | Outage and maintenance events |
| Resource Health | A resource's health state changed |
| Alert | An Azure Monitor alert fired |
| Autoscale | A scale-out/scale-in event |
| Policy | An Azure Policy evaluation result |
| Security | A Microsoft Defender for Cloud alert |
| Recommendation | A new Azure Advisor recommendation |
Retention and export
| Destination | Retention | Why use it |
|---|---|---|
| Azure portal | 90 days (free, automatic) | Quick lookup and recent troubleshooting |
| Log Analytics | 30 days up to 2 years | KQL queries, correlate with other logs |
| Storage Account | Unlimited (you set lifecycle) | Cheap long-term archival for compliance |
| Event Hub | Real-time stream | Feed a SIEM or third-party analytics |
The 90-day portal figure is heavily tested. Anything longer than 90 days requires an export — the portal does not store Activity Log history forever.
Diagnostic settings: the routing pipe
Diagnostic settings are how you send platform metrics and resource logs out of a service to where you want them analyzed or kept.
| Destination | Purpose |
|---|---|
| Log Analytics workspace | Query with KQL, build dashboards |
| Storage Account | Low-cost long-term archival |
| Event Hub | Stream to an external SIEM or tool |
| Partner solution | Hand off to a third-party monitoring product |
Each resource type exposes its own diagnostic categories you enable individually — a storage account, for example, offers separate read, write, and delete log categories. Without a diagnostic setting, those resource logs are simply not collected. Memory hook: diagnostic settings move data; they do not analyze it. Analysis happens after it lands in Log Analytics.
Resource Health
Resource Health is a personalized, per-resource dashboard reporting the current and historical state of one specific resource.
| Status | Meaning |
|---|---|
| Available | Functioning normally, no issues detected |
| Unavailable | A platform or non-platform event has impacted it |
| Degraded | Reduced performance, still partially working |
| Unknown | No signal received for 10+ minutes |
Crucially, when a resource is unavailable Resource Health tells you whether the cause is Azure (a platform event) or your own configuration, suggests remediation, and links to support — so you do not waste time blaming the wrong side.
Putting the four together
| Tool | Role in the story |
|---|---|
| Activity Log | The audit trail — who did what to a resource |
| Diagnostic settings | The pipe — routes metrics/logs to a destination |
| Azure Monitor alerts | The trigger — notifies or automates a response |
| Resource Health | The status — is this one resource up right now |
Worked compliance scenario
A bank gets audited and must answer three questions about its Azure footprint:
- "Who deleted the production database last Tuesday?" — The Activity Log holds the management-plane delete event with the caller, timestamp, and correlation ID; if it is older than 90 days, you read it from the workspace or storage archive you exported to.
- "Prove every storage account write for the past year is retained." — Storage writes are data-plane events, so you must have a diagnostic setting routing the account's write log category to a Storage Account with a long retention lifecycle.
- "Was last month's outage Azure's fault or ours?" — Resource Health records whether the impacting event was a platform event or a customer-side configuration problem.
Each question maps to exactly one tool, which is precisely the discrimination AZ-900 tests.
Common AZ-900 traps in this section
- Activity Log captures management, not usage. Creating/deleting a resource is logged; reading data inside it is not.
- 90 days is free and automatic; longer needs an export. The portal does not keep Activity Log history indefinitely.
- Diagnostic settings route; Log Analytics analyzes. A setting with no destination collects nothing.
- Resource Health is per-resource and tells you the blame side (platform vs customer) — it is not a global outage board (that is Azure Status).
On the Exam: Match the verb to the tool. "Who deleted this VM?" → Activity Log. "Send these logs to long-term storage" → diagnostic settings. "Is this VM healthy and is the outage Azure's fault?" → Resource Health. "Notify me when CPU spikes" → alerts. The AZ-900 (about 40–60 questions in 45 minutes, pass at 700/1000) almost always includes one of these discrimination items.
A user successfully downloaded a file from a blob storage container. Where is that specific action recorded?
How long does the Azure portal retain Activity Log events for free before you must export them for longer retention?
An operations engineer needs to stream a virtual machine's platform metrics and resource logs to an external SIEM in near real time. Which feature configures this routing?