Enable AuditEvent Logging for Azure Key Vaults

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Subscription equals filter and select the Azure subscription that you want to examine.

04 Choose the Type equals filter, select Equals for Operator, and choose Key vault for Value to list the Azure Key Vaults available in the selected subscription.

05 Click on the name (link) of the Key Vault instance that you want to examine.

06 In the left navigation panel, under Monitoring, select Diagnostic settings to access the diagnostic settings available for the selected Azure Key Vault.

07 On the Diagnostic settings configuration page, check for any defined diagnostic settings. If there are no diagnostic settings listed on this page, audit logging is not enabled for the verified Azure Key Vault. If there are one or more diagnostic settings defined, choose Edit setting to access the feature settings. If none of the defined diagnostic settings are configured with access logging (i.e. the Audit Logs checkbox is not selected), AuditEvent logging is not enabled for the selected Microsoft Azure Key Vault.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

01 Run keyvault list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each Azure Key Vault available within the selected subscription:

az keyvault list
  --query '[*].id'

02 The command output should return the requested resource identifiers (IDs):

[
"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-key-vault",
"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-production-vault"
]

03 Run monitor diagnostic-settings list command (Windows/macOS/Linux) using the ID of the Key Vault that you want to examine as the identifier parameter and custom query filters to describe the active diagnostic settings defined for the specified Azure Key Vault:

az monitor diagnostic-settings list
  --resource "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-key-vault"
  --query '[*].logs | []'

04 The command output should return the diagnostic settings information available for the selected Key Vault (including AuditEvent logging information):

1. If the command output returns an empty array (i.e. []), as shown in the output example below, there are no diagnostic settings currently defined, thus audit logging is not enabled for the selected Microsoft Azure Key Vault:
   []
   

2. If the monitor diagnostic-settings list command output returns any configuration information, check the "enabled" attribute value (boolean) associated with the "AuditEvent" log category. If "enabled" is set to false, as shown in the output example below, the diagnostic settings defined for the specified resource does not include audit logging, therefore AuditEvent logging is not enabled for the selected Microsoft Azure Key Vault:
   [
     {
       "category": "AuditEvent",
       "categoryGroup": null,
       "enabled": false,
       "retentionPolicy": {
         "days": 0,
         "enabled": false
       }
     },
     {
       "category": "AzurePolicyEvaluationDetails",
       "categoryGroup": null,
       "enabled": true,
       "retentionPolicy": {
         "days": 0,
         "enabled": false
       }
     }
   ]
   

05 Repeat steps no. 1 – 4 for each subscription available in your Microsoft Azure cloud account.

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 Choose the Subscription equals filter and select the Azure subscription that you want to access.

04 Choose the Type equals filter, select Equals for Operator, and choose Key vault for Value to list the Azure Key Vaults available in the selected subscription.

05 Click on the name (link) of the Key Vault instance that you want to reconfigure.

06 In the navigation panel, under Monitoring, select Diagnostic settings to access the diagnostic settings available for the selected Azure Key Vault.

07 On the Diagnostic settings configuration page, choose + Add diagnostic setting and perform the following operations:

1. Provide a unique name for your new diagnostic setting in the Diagnostic setting name box.
2. For Destination details, select Archive to a storage account, choose the Azure subscription and the storage account required for audit log file storage.
3. For Logs, select the Audit Logs checkbox available in the Categories section to enable AuditEvent logging for the new diagnostic setting. Set the number of days to retain log data for the selected Key Vault in the Retention (days) box to 365 or 0. A setting of 0 (zero) days retains the logs forever.
4. Choose Save to apply the changes.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

01 Run monitor diagnostic-settings create command (Windows/macOS/Linux) to create a new Key Vault diagnostic setting that will enable and configure AuditEvent logging for the specified Azure Key Vault. For example, the following monitor diagnostic-settings create command request creates a diagnostic setting with the name "cc-audit-event-log-setting", for an Azure Key Vault identified by ID "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-key-vault", that retains AuditEvent logging data for 365 days within a storage account identified by the ID "abcdabcdabcdabcdabcdabcd":

az monitor diagnostic-settings create
  --name cc-audit-event-log-setting
  --resource /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-main-key-vault
  --storage-account abcdabcdabcdabcdabcdabcd
  --logs '[{"category": "AuditEvent","enabled": true,"retentionPolicy": {"enabled": true,"days": 365}}]'

02 The command output should return the configuration metadata for the newly created Azure Key Vault diagnostic setting:

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/microsoft.keyvault/vaults/cc-main-key-vault/providers/microsoft.insights/diagnosticSettings/cc-audit-event-log-setting",
	"logs": [
		{
			"category": "AuditEvent",
			"enabled": true,
			"retentionPolicy": {
				"days": 365,
				"enabled": true
			}
		}
	],
	"metrics": [],
	"name": "cc-audit-event-log-setting",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"storageAccountId": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.Storage/storageAccounts/abcdabcdabcdabcdabcdabcd",
	"type": "Microsoft.Insights/diagnosticSettings"
}

03 Repeat steps no. 1 and 2 for each subscription created within your Microsoft Azure cloud account.