This article provides the properties and schema for resource group events. For an introduction to event schemas, see Azure Event Grid event schema.
Azure subscriptions and resource groups emit the same event types. The event types are related to resource changes or actions. The primary difference is that resource groups emit events for resources within the resource group, and Azure subscriptions emit events for resources across the subscription.
Resource events are created for PUT, PATCH, POST, and DELETE operations that are sent to management.azure.com. GET operations don't create events. Operations sent to the data plane (like myaccount.blob.core.windows.net) don't create events. The action events provide event data for operations like listing the keys for a resource.
When you subscribe to events for a resource group, your endpoint receives all events for that resource group. The events can include event you want to see, such as updating a virtual machine, but also events that aren't important to you, such as writing a new entry in the deployment history. You can receive all events at your endpoint and write code that processes the events you want to handle. Or, you can set a filter when creating the event subscription.
To programmatically handle events, you can sort events by looking at the operationName value. For example, your event endpoint might only process events for operations that are equal to Microsoft.Compute/virtualMachines/write or Microsoft.Storage/storageAccounts/write.
The event subject is the resource ID of the resource that is the target of the operation. To filter events for a resource, provide that resource ID when creating the event subscription. To filter by a resource type, use a value in following format: /subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.Compute/virtualMachines
Resource groups emit management events from Azure Resource Manager, such as when a VM is created or a storage account is deleted.
The following example shows the schema for a ResourceWriteSuccess event. The same schema is used for ResourceWriteFailure and ResourceWriteCancel events with different values for eventType.
[{
"subject": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",
"source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}",
"type": "Microsoft.Resources.ResourceWriteSuccess",
"time": "2018-07-19T18:38:04.6117357Z",
"id": "4db48cba-50a2-455a-93b4-de41a3b5b7f6",
"data": {
"authorization": {
"scope": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",
"action": "Microsoft.Storage/storageAccounts/write",
"evidence": {
"role": "Subscription Admin"
}
},
"claims": {
"aud": "{audience-claim}",
"iss": "{issuer-claim}",
"iat": "{issued-at-claim}",
"nbf": "{not-before-claim}",
"exp": "{expiration-claim}",
"_claim_names": "{\"groups\":\"src1\"}",
"_claim_sources": "{\"src1\":{\"endpoint\":\"{URI}\"}}",
"http://schemas.microsoft.com/claims/authnclassreference": "1",
"aio": "{token}",
"http://schemas.microsoft.com/claims/authnmethodsreferences": "rsa,mfa",
"appid": "{ID}",
"appidacr": "2",
"http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier": "{ID}",
"e_exp": "{expiration}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "{last-name}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "{first-name}",
"ipaddr": "{IP-address}",
"name": "{full-name}",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "{ID}",
"onprem_sid": "{ID}",
"puid": "{ID}",
"http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "{ID}",
"http://schemas.microsoft.com/identity/claims/tenantid": "{ID}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "{user-name}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "{user-name}",
"uti": "{ID}",
"ver": "1.0"
},
"correlationId": "{ID}",
"resourceProvider": "Microsoft.Storage",
"resourceUri": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",
"operationName": "Microsoft.Storage/storageAccounts/write",
"status": "Succeeded",
"subscriptionId": "{subscription-id}",
"tenantId": "{tenant-id}"
},
"specversion": "1.0"
}]
The following example shows the schema for a ResourceDeleteSuccess event. The same schema is used for ResourceDeleteFailure and ResourceDeleteCancel events with different values for eventType.
[{
"subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",
"source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}",
"type": "Microsoft.Resources.ResourceDeleteSuccess",
"time": "2018-07-19T19:24:12.763881Z",
"id": "19a69642-1aad-4a96-a5ab-8d05494513ce",
"data": {
"authorization": {
"scope": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",
"action": "Microsoft.Storage/storageAccounts/delete",
"evidence": {
"role": "Subscription Admin"
}
},
"claims": {
"aud": "{audience-claim}",
"iss": "{issuer-claim}",
"iat": "{issued-at-claim}",
"nbf": "{not-before-claim}",
"exp": "{expiration-claim}",
"_claim_names": "{\"groups\":\"src1\"}",
"_claim_sources": "{\"src1\":{\"endpoint\":\"{URI}\"}}",
"http://schemas.microsoft.com/claims/authnclassreference": "1",
"aio": "{token}",
"http://schemas.microsoft.com/claims/authnmethodsreferences": "rsa,mfa",
"appid": "{ID}",
"appidacr": "2",
"http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier": "{ID}",
"e_exp": "262800",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "{last-name}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "{first-name}",
"ipaddr": "{IP-address}",
"name": "{full-name}",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "{ID}",
"onprem_sid": "{ID}",
"puid": "{ID}",
"http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "{ID}",
"http://schemas.microsoft.com/identity/claims/tenantid": "{ID}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "{user-name}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "{user-name}",
"uti": "{ID}",
"ver": "1.0"
},
"correlationId": "{ID}",
"httpRequest": {
"clientRequestId": "{ID}",
"clientIpAddress": "{IP-address}",
"method": "DELETE",
"url": "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}?api-version=2018-02-01"
},
"resourceProvider": "Microsoft.Storage",
"resourceUri": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",
"operationName": "Microsoft.Storage/storageAccounts/delete",
"status": "Succeeded",
"subscriptionId": "{subscription-id}",
"tenantId": "{tenant-id}"
},
"specversion": "1.0"
}]
The following example shows the schema for a ResourceActionSuccess event. The same schema is used for ResourceActionFailure and ResourceActionCancel events with different values for eventType.
[{
"subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey",
"source": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}",
"type": "Microsoft.Resources.ResourceActionSuccess",
"time": "2018-10-08T22:46:22.6022559Z",
"id": "{ID}",
"data": {
"authorization": {
"scope": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey",
"action": "Microsoft.EventHub/namespaces/AuthorizationRules/listKeys/action",
"evidence": {
"role": "Contributor",
"roleAssignmentScope": "/subscriptions/{subscription-id}",
"roleAssignmentId": "{ID}",
"roleDefinitionId": "{ID}",
"principalId": "{ID}",
"principalType": "ServicePrincipal"
}
},
"claims": {
"aud": "{audience-claim}",
"iss": "{issuer-claim}",
"iat": "{issued-at-claim}",
"nbf": "{not-before-claim}",
"exp": "{expiration-claim}",
"aio": "{token}",
"appid": "{ID}",
"appidacr": "2",
"http://schemas.microsoft.com/identity/claims/identityprovider": "{URL}",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "{ID}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "{ID}", "http://schemas.microsoft.com/identity/claims/tenantid": "{ID}",
"uti": "{ID}",
"ver": "1.0"
},
"correlationId": "{ID}",
"httpRequest": {
"clientRequestId": "{ID}",
"clientIpAddress": "{IP-address}",
"method": "POST",
"url": "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey/listKeys?api-version=2017-04-01"
},
"resourceProvider": "Microsoft.EventHub",
"resourceUri": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey",
"operationName": "Microsoft.EventHub/namespaces/AuthorizationRules/listKeys/action",
"status": "Succeeded",
"subscriptionId": "{subscription-id}",
"tenantId": "{tenant-id}"
},
"specversion": "1.0"
}]
The following example shows the schema for a ResourceWriteSuccess event. The same schema is used for ResourceWriteFailure and ResourceWriteCancel events with different values for eventType.
[{
"subject": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",
"eventType": "Microsoft.Resources.ResourceWriteSuccess",
"eventTime": "2018-07-19T18:38:04.6117357Z",
"id": "4db48cba-50a2-455a-93b4-de41a3b5b7f6",
"data": {
"authorization": {
"scope": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",
"action": "Microsoft.Storage/storageAccounts/write",
"evidence": {
"role": "Subscription Admin"
}
},
"claims": {
"aud": "{audience-claim}",
"iss": "{issuer-claim}",
"iat": "{issued-at-claim}",
"nbf": "{not-before-claim}",
"exp": "{expiration-claim}",
"_claim_names": "{\"groups\":\"src1\"}",
"_claim_sources": "{\"src1\":{\"endpoint\":\"{URI}\"}}",
"http://schemas.microsoft.com/claims/authnclassreference": "1",
"aio": "{token}",
"http://schemas.microsoft.com/claims/authnmethodsreferences": "rsa,mfa",
"appid": "{ID}",
"appidacr": "2",
"http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier": "{ID}",
"e_exp": "{expiration}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "{last-name}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "{first-name}",
"ipaddr": "{IP-address}",
"name": "{full-name}",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "{ID}",
"onprem_sid": "{ID}",
"puid": "{ID}",
"http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "{ID}",
"http://schemas.microsoft.com/identity/claims/tenantid": "{ID}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "{user-name}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "{user-name}",
"uti": "{ID}",
"ver": "1.0"
},
"correlationId": "{ID}",
"resourceProvider": "Microsoft.Storage",
"resourceUri": "/subscriptions/{subscription-id}/resourcegroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",
"operationName": "Microsoft.Storage/storageAccounts/write",
"status": "Succeeded",
"subscriptionId": "{subscription-id}",
"tenantId": "{tenant-id}"
},
"dataVersion": "2",
"metadataVersion": "1",
"topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}"
}]
The following example shows the schema for a ResourceDeleteSuccess event. The same schema is used for ResourceDeleteFailure and ResourceDeleteCancel events with different values for eventType.
[{
"subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",
"eventType": "Microsoft.Resources.ResourceDeleteSuccess",
"eventTime": "2018-07-19T19:24:12.763881Z",
"id": "19a69642-1aad-4a96-a5ab-8d05494513ce",
"data": {
"authorization": {
"scope": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",
"action": "Microsoft.Storage/storageAccounts/delete",
"evidence": {
"role": "Subscription Admin"
}
},
"claims": {
"aud": "{audience-claim}",
"iss": "{issuer-claim}",
"iat": "{issued-at-claim}",
"nbf": "{not-before-claim}",
"exp": "{expiration-claim}",
"_claim_names": "{\"groups\":\"src1\"}",
"_claim_sources": "{\"src1\":{\"endpoint\":\"{URI}\"}}",
"http://schemas.microsoft.com/claims/authnclassreference": "1",
"aio": "{token}",
"http://schemas.microsoft.com/claims/authnmethodsreferences": "rsa,mfa",
"appid": "{ID}",
"appidacr": "2",
"http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier": "{ID}",
"e_exp": "262800",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "{last-name}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "{first-name}",
"ipaddr": "{IP-address}",
"name": "{full-name}",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "{ID}",
"onprem_sid": "{ID}",
"puid": "{ID}",
"http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "{ID}",
"http://schemas.microsoft.com/identity/claims/tenantid": "{ID}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "{user-name}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "{user-name}",
"uti": "{ID}",
"ver": "1.0"
},
"correlationId": "{ID}",
"httpRequest": {
"clientRequestId": "{ID}",
"clientIpAddress": "{IP-address}",
"method": "DELETE",
"url": "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}?api-version=2018-02-01"
},
"resourceProvider": "Microsoft.Storage",
"resourceUri": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/{storage-name}",
"operationName": "Microsoft.Storage/storageAccounts/delete",
"status": "Succeeded",
"subscriptionId": "{subscription-id}",
"tenantId": "{tenant-id}"
},
"dataVersion": "2",
"metadataVersion": "1",
"topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}"
}]
The following example shows the schema for a ResourceActionSuccess event. The same schema is used for ResourceActionFailure and ResourceActionCancel events with different values for eventType.
[{
"subject": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey",
"eventType": "Microsoft.Resources.ResourceActionSuccess",
"eventTime": "2018-10-08T22:46:22.6022559Z",
"id": "{ID}",
"data": {
"authorization": {
"scope": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey",
"action": "Microsoft.EventHub/namespaces/AuthorizationRules/listKeys/action",
"evidence": {
"role": "Contributor",
"roleAssignmentScope": "/subscriptions/{subscription-id}",
"roleAssignmentId": "{ID}",
"roleDefinitionId": "{ID}",
"principalId": "{ID}",
"principalType": "ServicePrincipal"
}
},
"claims": {
"aud": "{audience-claim}",
"iss": "{issuer-claim}",
"iat": "{issued-at-claim}",
"nbf": "{not-before-claim}",
"exp": "{expiration-claim}",
"aio": "{token}",
"appid": "{ID}",
"appidacr": "2",
"http://schemas.microsoft.com/identity/claims/identityprovider": "{URL}",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "{ID}",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "{ID}", "http://schemas.microsoft.com/identity/claims/tenantid": "{ID}",
"uti": "{ID}",
"ver": "1.0"
},
"correlationId": "{ID}",
"httpRequest": {
"clientRequestId": "{ID}",
"clientIpAddress": "{IP-address}",
"method": "POST",
"url": "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey/listKeys?api-version=2017-04-01"
},
"resourceProvider": "Microsoft.EventHub",
"resourceUri": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.EventHub/namespaces/{namespace}/AuthorizationRules/RootManageSharedAccessKey",
"operationName": "Microsoft.EventHub/namespaces/AuthorizationRules/listKeys/action",
"status": "Succeeded",
"subscriptionId": "{subscription-id}",
"tenantId": "{tenant-id}"
},
"dataVersion": "2",
"metadataVersion": "1",
"topic": "/subscriptions/{subscription-id}/resourceGroups/{resource-group}"
}]
An event has the following top-level data:
Property Type Descriptionsource string Full resource path to the event source. This field isn't writeable. Event Grid provides this value. subject string Publisher-defined path to the event subject. type string One of the registered event types for this event source. time string The time the event is generated based on the provider's UTC time. id string Unique identifier for the event. data object Resource group event data. specversion string CloudEvents schema specification version.
An event has the following top-level data:
Property Type Descriptiontopic string Full resource path to the event source. This field isn't writeable. Event Grid provides this value. subject string Publisher-defined path to the event subject. eventType string One of the registered event types for this event source. eventTime string The time the event is generated based on the provider's UTC time. id string Unique identifier for the event. data object Resource group event data. dataVersion string The schema version of the data object. The publisher defines the schema version. metadataVersion string The schema version of the event metadata. Event Grid defines the schema of the top-level properties. Event Grid provides this value.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4