none
SQL Database was created, but no user was identified RRS feed

  • Question

  • A new SQL database was created in our Production subscription.  When you go to the activity log for the new database, the log shows events starting last Friday (7/12/19).  However, there is no "create" event and the "event initiated by" values are all a single GUID, not a user id.  How can I find out what user created this database?  BTW, the database has a very logical name, so it appears a human being created it.

    Thanks

    Wednesday, July 17, 2019 6:27 PM

All replies

  • Thank you for your interest in Azure SQL database

    You will get this information from the Subscription Audit logs.

    From the Azure portal, navigate to Subscriptions -> Activity Log

    Filter on the Resource Type

    Add a filter for Operation

    The "Event Initiated By" column should give you the user, you can select the event and drill further into the JSON to get more information about the event.

    Do let us know if you have further questions.

    --

    If the above answer was helpful, click “Mark as Answer” and “Up-Vote”, which might be beneficial to other community members reading this thread.

    Thursday, July 18, 2019 4:21 AM
    Moderator
  • Generally this information was helpful, but did not provide an answer.  I can see when log entries start for this database, but the "Event Initiated By" column is blank.   
    Thursday, July 18, 2019 10:58 AM
  • Hi HeadSeagull,

    A freshly created Azure SQL Server instance + Database will only show two events as detailed in the attached screen shot if the filter is tied to a specific database.


    However, if you remove the filter associated with the specific database in question, you get all events associated with the entire deployment. The issue in your case is the "Event Initiated By" value that is appearing is a GUID and not an identifiable value, such as an email address.

    What user is accessing the Azure Portal and what is unique about this user? Are you a reseller or service provider where you have an authentication layer between the portal and your customers? Clearly, Kalyan and myself are internal employees and as you can see, we are not having this issue. So, what I need to dig into is what is unique about the user id in your case? Thank you for providing additional details!

    Thursday, July 18, 2019 10:46 PM
    Moderator
    1. My client (Phase Three Brands) has a regular Azure subscription.  
    2. Under that subscription, I'm (seagullconsulting.biz) added as a user with a role of 'owner' as is one other 3rd party consultant (statusnotquo.com).  We are the only two users who add resources to the account
    3. A new Azure SQL database (P3Brands_Dev) showed up last Friday (7/12) and neither of us created it.  I'm beginning to think Azure created it for us.  
    4. It was created under a somewhat expensive pricing plan and charges were incurred by the client, which I don't think they should pay given we didn't create the database. 
    5. I want to make sure I know who created the database, before I request a credit from Microsoft.


    Friday, July 19, 2019 12:59 AM
  • Hello HeadSeagull,

    Thank you for providing more context. 

    It could have also been an application or service principal that created the resource.

    You can use the Get-AzureADObjectByObjectId cmdlet to find more information using the GUID in "Event Initiated By" column

    Install-Module -Name AzureAD
    Import-Module AzureAD
    Connect-AzureAD
    
    Get-AzureADObjectByObjectId -ObjectIds <GUID>
    

    Unfortunately, we cannot remotely access your account to troubleshoot further.

    So if the above solution doesn't work for you, please reach out to Azure support.

    Friday, July 19, 2019 10:45 AM
    Moderator
  • Thank you for this detail. Firstly, I would open a billing support request...like immediately. A billing support request requires no support plan nor will you be deducted from your allotment of available support requests. Secondly, if the potential bug here (minus the billing aspect) cannot be handled by support, then this needs to be handled as a potential bug and needs to go to support. 

    So, this needs to go to Azure Support either way. If you have a Support Request created and send me the SR number, I can present this scenario to the Product Group. You can send that info to AzCommunity or use my personal email address, since I took the calculated risk of publishing it in the screen capture. Also include your Azure Subscription ID, as we can take look at your entire subscription.

    Regards,

    Mike



    Tuesday, July 23, 2019 1:55 AM
    Moderator