AppConfiguration icon indicating copy to clipboard operation
AppConfiguration copied to clipboard

Published 20 hours ago verified publisher icon Azure

Include user identity in HttpRequest logs

Open maskati opened this issue 3 years ago • 10 comments

The App Configuration request log table AACHttpRequest does not include details about the requesting identity. This information should be available similarly to CallerIdentity in the AACAudit table as it is useful for both audit and troubleshooting purposes.

maskati avatar Feb 08 '22 20:02 maskati

It would be indeed great to have such logging as for it's otherwise unclear who accesses a certain key.

m-adami avatar Jul 04 '22 15:07 m-adami

Indeed, it could be valuable. Introducing user identifiable information anywhere needs some consideration to respect data privacy. As such, I am inclined to say that the auditing table should be the sole place where such identifying information is held, by design, and perhaps a way to link http request to audit entries if desired.

@zhenlan @drago-draganov for additional thoughts.

jimmyca15 avatar Jul 31 '23 17:07 jimmyca15

My understanding is that AACAudit is for auditing configuration updates, while AACHttpRequest is a log of all inbound requests including configuration reads. Typically service request logs of Azure AD (Microsoft Entra ID 🙂) authenticated requests include the AAD principal object identifier (GUID), which is not in itself personally identifiable information but a pseudonym mapping to the principal.

maskati avatar Aug 01 '23 05:08 maskati

The AACAudit and AACHttpRequest log tables both have the RequestId column which can be used for correlation.

microsoft-saya avatar Aug 04 '23 21:08 microsoft-saya

Agreed. I do see the value of including user identity in the HttpRequest logs. However, the user identity (even the hashed/pseudo-ones) is considered as personally identifiable information (PII). So, as Jimmy pointed out, we must navigate through the data privacy requirements. Thanks for the feedback. We will share when we have any updates.

zhenlan avatar Sep 23 '23 00:09 zhenlan

@zhenlan please also discuss with other product teams that include identity in request logs which might help in navigating privacy requirements. Some examples:

  • Azure Storage Blob request logs in StorageBlobLogs includes RequesterObjectId, which is the AAD object ID of the requesting principal.
  • Log Analytics workspace query logs in LAQueryLogs includes AADObjectId, which is the AAD object ID of the requesting principal.
  • Key Vault uses common schema which includes an identity property containing claims regarding the requesting principal, including ...objectidentifier which is the AAD object ID of the requesting principal

maskati avatar Sep 25 '23 06:09 maskati

@maskati I wanted to understand more about your need for adding the caller identity details to the http request logs. Could you please explain your use case further? Also, from the examples you stated, only the Azure Storage team has the caller identity in their resource logs. The Log analytics and Key Vault team have added the caller identities to their Audit logs, which follows the privacy design requirements.

microsoft-saya avatar Apr 22 '24 21:04 microsoft-saya

Key Vault and Log Analytics include details of read operations in their audits while AAC doesn’t. If you want to understand who has read specific AAC entries you cannot at the moment achieve that.

maskati avatar Apr 23 '24 04:04 maskati

@maskati would this be in the dev or prod environment?

microsoft-saya avatar Apr 23 '24 18:04 microsoft-saya

@microsoft-saya auditing, including read audits, are most relevant in production environments.

maskati avatar Apr 24 '24 13:04 maskati