search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.26k stars 3.86k forks source link

Set-AzSqlServerAudit refuses AuditActionGroup described in online documentation "SQL Server Audit Action Groups and Actions" #24536

Open LoloActemium opened 7 months ago

LoloActemium commented 7 months ago

Description

Hello, Some Audit Action Groups at server level are not supported by the Set-AzSqlServerAudit function. One example : LOGIN_CHANGE_PASSWORD_GROUP The documentation does not mention that it's not supported by Azure SQL Servers.

Issue script & Debug output

PS C:\Users\laurent.wehrlen> Set-AzSqlServerAudit -ResourceGroupName "vesact" -ServerName "vesact" -AuditActionGroup APPLICATION_ROLE_CHANGE_PASSWORD_GROUP, BACKUP_RESTORE_GROUP, DATABASE_CHANGE_GROUP, DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP, DATABASE_OBJECT_PERMISSION_CHANGE_GROUP, DATABASE_OWNERSHIP_CHANGE_GROUP, DATABASE_PERMISSION_CHANGE_GROUP, DATABASE_PRINCIPAL_CHANGE_GROUP, DATABASE_PRINCIPAL_IMPERSONATION_GROUP, DATABASE_ROLE_MEMBER_CHANGE_GROUP, DBCC_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, LEDGER_OPERATION_GROUP, USER_CHANGE_PASSWORD_GROUP, LOGIN_CHANGE_PASSWORD_GROUP
Set-AzSqlServerAudit: Cannot bind parameter 'AuditActionGroup'. Cannot convert value "LOGIN_CHANGE_PASSWORD_GROUP" to type "Microsoft.Azure.Commands.Sql.Auditing.Model.AuditActionGroups". Error: "Unable to match the identifier name LOGIN_CHANGE_PASSWORD_GROUP to a valid enumerator name. Specify one of the following enumerator names and try again:
BATCH_STARTED_GROUP, BATCH_COMPLETED_GROUP, APPLICATION_ROLE_CHANGE_PASSWORD_GROUP, BACKUP_RESTORE_GROUP, DATABASE_LOGOUT_GROUP, DATABASE_OBJECT_CHANGE_GROUP, DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP, DATABASE_OBJECT_PERMISSION_CHANGE_GROUP, DATABASE_OPERATION_GROUP, DATABASE_PERMISSION_CHANGE_GROUP, DATABASE_PRINCIPAL_CHANGE_GROUP, DATABASE_PRINCIPAL_IMPERSONATION_GROUP, DATABASE_ROLE_MEMBER_CHANGE_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, SCHEMA_OBJECT_ACCESS_GROUP, SCHEMA_OBJECT_CHANGE_GROUP, SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP, SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, USER_CHANGE_PASSWORD_GROUP, LEDGER_OPERATION_GROUP, DBCC_GROUP, DATABASE_OWNERSHIP_CHANGE_GROUP, DATABASE_CHANGE_GROUP"

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.1
PSEdition                      Core
GitCommitId                    7.4.1
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.16.0                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script     4.14.0                Az.Sql                              {Add-AzSqlDatabaseToFailoverGroup, Add-AzSqlElasticJobStep, Add-AzSqlElasticJobTarget, A…

Error output

No response

microsoft-github-policy-service[bot] commented 7 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @azureSQLGitHub.

h37arp commented 5 months ago

This one as well: FAILED_LOGIN_GROUP