m-adami
commented
2 years ago It would be indeed great to have such logging as for it's otherwise unclear who accesses a certain key.
Open maskati opened 2 years ago
m-adami
commented
2 years ago It would be indeed great to have such logging as for it's otherwise unclear who accesses a certain key.
jimmyca15
commented
1 year ago Indeed, it could be valuable. Introducing user identifiable information anywhere needs some consideration to respect data privacy. As such, I am inclined to say that the auditing table should be the sole place where such identifying information is held, by design, and perhaps a way to link http request to audit entries if desired.
@zhenlan @drago-draganov for additional thoughts.
maskati
commented
1 year ago My understanding is that AACAudit is for auditing configuration updates, while AACHttpRequest is a log of all inbound requests including configuration reads. Typically service request logs of Azure AD (Microsoft Entra ID 🙂) authenticated requests include the AAD principal object identifier (GUID), which is not in itself personally identifiable information but a pseudonym mapping to the principal.
microsoft-saya
commented
1 year ago The AACAudit and AACHttpRequest log tables both have the RequestId column which can be used for correlation.
zhenlan
commented
1 year ago Agreed. I do see the value of including user identity in the HttpRequest logs. However, the user identity (even the hashed/pseudo-ones) is considered as personally identifiable information (PII). So, as Jimmy pointed out, we must navigate through the data privacy requirements. Thanks for the feedback. We will share when we have any updates.
maskati
commented
12 months ago @zhenlan please also discuss with other product teams that include identity in request logs which might help in navigating privacy requirements. Some examples:
RequesterObjectId, which is the AAD object ID of the requesting principal.AADObjectId, which is the AAD object ID of the requesting principal.identity property containing claims regarding the requesting principal, including ...objectidentifier which is the AAD object ID of the requesting principalmicrosoft-saya
commented
5 months ago @maskati I wanted to understand more about your need for adding the caller identity details to the http request logs. Could you please explain your use case further? Also, from the examples you stated, only the Azure Storage team has the caller identity in their resource logs. The Log analytics and Key Vault team have added the caller identities to their Audit logs, which follows the privacy design requirements.
maskati
commented
5 months ago Key Vault and Log Analytics include details of read operations in their audits while AAC doesn’t. If you want to understand who has read specific AAC entries you cannot at the moment achieve that.
microsoft-saya
commented
5 months ago @maskati would this be in the dev or prod environment?
maskati
commented
5 months ago @microsoft-saya auditing, including read audits, are most relevant in production environments.
The App Configuration request log table AACHttpRequest does not include details about the requesting identity. This information should be available similarly to
CallerIdentityin the AACAudit table as it is useful for both audit and troubleshooting purposes.