About The Authorization Events in AppServiceAuditLogs

Posted by

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Customers may see such authorization events in App Service -> Monitoring -> Logs -> AppServiceAuditLogs, and be puzzled by these entries.


Resource field value is your app service web app name, and the User account of KUDU line is '$' plus your app name.

The User account of AAD line is 10032*****, totally 16 digit number. This is the Net ID of your logged in AAD account.

You can query the 'UserDisplayName' column  to display the readable user account name of this NET ID. 


What's that? 

These are the authentication and authorization events when accessing the KUDU site(the .scm site) by Web browser.

Refer to https://github.com/projectkudu/kudu/wiki/Accessing-the-kudu-service

When access to SCM site, the scm service requires authentication and authorization.



There are 2 authentication mechanisms.

  • Single sign on. This is only available and a default mechanism accessing via browser. User will be authenticated via AAD login.
  • Basic Auth using Deployment-credentials. This is default for non browser - such as curl. However, one can force this mode on browser by appending basicauth such as https://mysite.scm.azurewebsites.net/basicauth.


What Kind of User Operations Trigger Kudu Authorization Events?

      • Code publishing and package deployments such as via Web Deploy, Local Git or GitHub, will trigger the access to Kudu service, since Kudu is the deployment engine of App Service.
      • Directly accessing the Kudu site URL, e.g. Go to  https://mysite.scm.azurewebsites.net/ in web browser will also trigger the access to Kudu Service.
      • What's more, when you browse via Azure Portal such as checking the configuration of App Service, it will also trigger the access to KUDU service.

For example, visit Settings -> Web Jobs, Development Tools -> Extensions, API -> API management, Process Explorer and Metrics under Monitoring, etc on Azure App service Portal  https://ms.portal.azure.com/,  it will trigger such kind of below requests to the Kudu/SCM service. And these requests will default log in to Kudu with the user's AAD account. 










Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.