Set-AzScheduledQueryRule reverts alert rule back to V1

[BartDecker]

Description

Set-AzScheduledQueryRule reverts alert rule back to V1

Example scenario:

We deploy our alert rules by a git workflow. Sometimes we afterwards update the description of the deployed alerts using Set-AzScheduledQueryRule

Before the action it's a v2 alert, after the action it's a v1 alert. The "createdWithApiVersion" in the json changes from

"createdWithApiVersion": "2023-03-15-preview"

to

"createdWithApiVersion": "2018-04-16",

Issue script & Debug output

DEBUG: 10:16:38 - SetScheduledQueryRuleCommand begin processing with ParameterSet 'ByInputObject'.
DEBUG: 10:16:38 - using account id 'bart.xxxx.net'...
DEBUG: 10:16:38 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: 'bart.xxxx.net', environment: 'AzureCloud', tenant: 'bc57f51a-6d93-46ac-ae9c-c2a2840d090e'
DEBUG: 10:16:38 - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 10:16:38 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'bc57f51a-6d93-46ac-ae9c-c2a2840d090e', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'bart.xxxx.net'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 023b18f7-e801-4944-9afc-0b05b259be5b] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 023b18f7-e801-4944-9afc-0b05b259be5b] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 023b18f7-e801-4944-9afc-0b05b259be5b] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 023b18f7-e801-4944-9afc-0b05b259be5b] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 023b18f7-e801-4944-9afc-0b05b259be5b] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 023b18f7-e801-4944-9afc-0b05b259be5b] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 023b18f7-e801-4944-9afc-0b05b259be5b] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z] Found 3 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z] Returning 3 accounts 
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 7ed8d0a6-c64c-4d13-84e8-6075a95a902d] MSAL MSAL.NetCore with assembly version '4.49.1.0'. CorrelationId(7ed8d0a6-c64c-4d13-84e8-6075a95a902d)    
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 7ed8d0a6-c64c-4d13-84e8-6075a95a902d] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 7ed8d0a6-c64c-4d13-84e8-6075a95a902d] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 7ed8d0a6-c64c-4d13-84e8-6075a95a902d] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 7ed8d0a6-c64c-4d13-84e8-6075a95a902d] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 7ed8d0a6-c64c-4d13-84e8-6075a95a902d]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - 7ed8d0a6-c64c-4d13-84e8-6075a95a902d
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:

DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 7ed8d0a6-c64c-4d13-84e8-6075a95a902d] === Token Acquisition (SilentRequest) started:
         Scopes: https://management.core.windows.net//.default
        Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 7ed8d0a6-c64c-4d13-84e8-6075a95a902d] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 7ed8d0a6-c64c-4d13-84e8-6075a95a902d] Access token is not expired. Returning the found cache entry. [Current time (08/30/2023 08:16:38) - Expiration Time (08/30/2023 13:47:27 +00:00) - Extended Expiration Time (08/30/2023 13:47:27 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 7ed8d0a6-c64c-4d13-84e8-6075a95a902d] Returning access token found in cache. RefreshOn exists ? True
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 7ed8d0a6-c64c-4d13-84e8-6075a95a902d] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 7ed8d0a6-c64c-4d13-84e8-6075a95a902d]
        === Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.NetCore .NET 6.0.20 Microsoft Windows 10.0.19045 [2023-08-30 08:16:38Z - 7ed8d0a6-c64c-4d13-84e8-6075a95a902d]  AT expiration time: 30/08/2023 13:47:27 +00:00, scopes: https://management.core.windows.net//user_impersonation https://management.core.windows.net//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2023-08-30T13:47:27.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: 'bc57f51a-6d93-46ac-ae9c-c2a2840d090e', UserId: 'bart.dxxx.net'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com/subscriptions/sssssss-9abe-4702-8132-b41d3107928b/resourcegroups/sssssg/providers/Microsoft.Insights/scheduledQueryRules/Example test alert?api-version=2018-04-16

Headers:
x-ms-client-request-id        : ceac15b8-291c-4180-9fec-c16a3f82b81c
Accept-Language               : en-US

Body:
{
  "properties": {
    "description": "test",
    "enabled": "false",
    "source": {
      "query": "AzureActivity|top 1 by TimeGenerated desc|summarize AggregatedValue=count() by bin(TimeGenerated,5m)|extend SubscriptionId=\"sssssss4702-8132-b41d3107928b\"|project TimeGenerated,AggregatedValue,Caller=\"example-xxxxnet\",SubscriptionId,Resource_group=\"example-resource-group\",Resource_name=\"example-resource-001\"",
      "dataSourceId": "/subscriptions/sssssbe-4702-8132sss7928b/resourceGroups/ssssing/providers/Microsoft.OperationalInsights/workspaces/dv5-sssss",
      "queryType": "Number"
    },
    "schedule": {
      "frequencyInMinutes": 5,
      "timeWindowInMinutes": 2880
    },
    "action": {
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction",
      "severity": "2",
      "aznsAction": {
        "actionGroup": [
          "/subscriptions/3ssssabe-4702-8132-b41d3107928b/resourceGroups/dsssg/providers/Microsoft.Insights/actionGroups/dsd-ssactiongroup-itsm"
        ]
      },
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 0.0,
        "metricTrigger": {
          "thresholdOperator": "GreaterThanOrEqual",
          "threshold": 1.0,
          "metricTriggerType": "Total",
          "metricColumn": "SubscriptionId"
        }
      }
    }
  },
  "location": "northeurope",
  "tags": {
    "xxxpose": "xxxxing",
    "xanagedxx": "true"
  }
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
X-Rate-Limit-Limit            : 1m
X-Rate-Limit-Remaining        : 14
X-Rate-Limit-Reset            : 2023-08-30T08:17:39.0303636Z
Server                        : Kestrel
x-ms-ratelimit-remaining-subscription-writes: 1199
x-ms-request-id               : ea09993a-08cf-44d1-9f98-251aeb556ea7
x-ms-correlation-request-id   : ea09993a-08cf-44d1-9f98-251aeb556ea7
x-ms-routing-request-id       : WESTEUROPE:20230830T081642Z:ea09993a-08cf-44d1-9f98-251aeb556ea7
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Wed, 30 Aug 2023 08:16:41 GMT

Body:
{
  "id": "/subscriptions/ssssss-8132-b41d3107928b/resourceGroups/ssssg-monitoring/providers/microsoft.insights/scheduledqueryrules/Example test alert",
  "name": "Example test alert",
  "type": "microsoft.insights/scheduledqueryrules",
  "location": "northeurope",
  "tags": {
    "xxxose": "Evxring",
    "Exxxged": "true"
  },
  "etag": "\"be02c141-0000-0d00-0000-64eefaea0000\"",
  "properties": {
    "createdWithApiVersion": "2018-04-16",
    "description": "test",
    "displayName": "Example test alert",
    "enabled": "false",
    "lastUpdatedTime": "2023-08-30T08:16:42Z",
    "provisioningState": "Succeeded",
    "source": {
      "query": "AzureActivity|top 1 by TimeGenerated desc|summarize AggregatedValue=count() by bin(TimeGenerated,5m)|extend SubscriptionId=\"ssssss-8132-b41d3107928b\"|project TimeGenerated,AggregatedValue,Caller=\"example-alert@xxx.net\",SubscriptionId,Resource_group=\"example-resource-group\",Resource_name=\"example-resource-001\"",
      "dataSourceId": "/subscriptions/sssss702-8132-b41d3107928b/resourceGroups/dv5-mgmt-d-ssring/providers/Microsoft.OperationalInsights/workspaces/dv5-mgmt-d-loganalytics",
      "queryType": "Number"
    },
    "schedule": {
      "frequencyInMinutes": 5,
      "timeWindowInMinutes": 2880
    },
    "action": {
      "severity": "2",
      "aznsAction": {
        "actionGroup": [
          "/subscriptions/sssss8132-b41d3107928b/resourceGroups/ssss-d-rsg-monitoring/providers/Microsoft.Insights/actionGroups/ssssup-itsm"
        ]
      },
      "trigger": {
        "thresholdOperator": "GreaterThan",
        "threshold": 0,
        "metricTrigger": {
          "thresholdOperator": "GreaterThanOrEqual",
          "threshold": 1,
          "metricTriggerType": "Total",
          "metricColumn": "SubscriptionId"
        }
      },
      "odata.type": "Microsoft.WindowsAzure.Management.Monitoring.Alerts.Models.Microsoft.AppInsights.Nexus.DataContracts.Resources.ScheduledQueryRules.AlertingAction"
    }
  }
}

CreatedWithApiVersion    : 
IsLegacyLogAnalyticsRule : 
Description              : test
DisplayName              : 
AutoMitigate             : 
Enabled                  : false
LastUpdatedTime          : 30/08/2023 08:16:42
ProvisioningState        : Succeeded
Source                   : Microsoft.Azure.Management.Monitor.Models.Source
Schedule                 : Microsoft.Azure.Management.Monitor.Models.Schedule
Action                   : Microsoft.Azure.Management.Monitor.Models.AlertingAction
Id                       : /subscriptions/ssss-4702-8132-b41d3107928b/resourceGroups/dssssring/prov 
                           iders/microsoft.insights/scheduledqueryrules/Example test alert
Name                     : Example test alert
Type                     : microsoft.insights/scheduledqueryrules
Location                 : northeurope
Tags                     : {[ssssssssssssssssssss]}
Kind                     : 
Etag                     : 

DEBUG: 10:16:42 - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Monitor:3.1.0; CommandName: Set-AzScheduledQueryRule; PSVersion: 7.2.13; IsSuccess: True; Duration: 00:00:04.1452858
DEBUG: 10:16:42 - [ConfigManager] Got [True] from [EnableDataCollection], Module = [], Cmdlet = [].
DEBUG: 10:16:42 - SetScheduledQueryRuleCommand end processing.

Environment data

Name                           Value
----                           -----
PSVersion                      7.2.13
PSEdition                      Core
GitCommitId                    7.2.13
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

Script     2.12.3                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, C… 
Script     0.6.0                 Az.AlertsManagement                 {Get-AzAlert, Get-AzAlertObjectHistory, Get-AzAlertPro… 
Script     3.1.0                 Az.Monitor                          {Add-AzAutoscaleSetting, Add-AzLogProfile, Add-AzMetri… 
Script     3.2.0                 Az.OperationalInsights              {Disable-AzOperationalInsightsIISLogCollection, Disabl… 
Script     6.2.0                 Az.Resources                        {Export-AzResourceGroup, Export-AzTemplateSpec, Get-Az

Error output

No error. Just expected to be able to set the correct api or the commandlet using the api by which the to be updated alert was created.

[isra-fel]

Hi @NoriZC please look into this when you got time, thanks.

[NoriZC]

Hi @BartDecker,

Az.Monitor 3.1.0 is a relatively old version. It called CreateOrUpdate api and the api version is 2018-04-16.

Our current version is 4.6.0, where the api version is 2021-08-01. We are not supporting 2023-03-15-preview as git workflow. If you want to keep the same api version, you can call New-AzScheduledQueryRule to create the alert. If you need the api version to be exactly 2023-03-15-preview for some reason, could you please explain more about how will this property effect you? Like what's the gap between v1 and v2 alerts?

Appreciate if you are willing to try newer version of Monitor. Please run Install-Module Az.Monitor -Repository PSGallery -AllowClobber and refer to Update-AzScheduledQueryRule.

[BartDecker]

@NoriZC thanks for your feedback. I see I skipped some steps in my testing. I was not aware of a new cmdlet being available for updating the alert. I will use that one to do what I need to do instead of the old cmdlet.