Include user identity in HttpRequest logs

[maskati]

The App Configuration request log table AACHttpRequest does not include details about the requesting identity. This information should be available similarly to CallerIdentity in the AACAudit table as it is useful for both audit and troubleshooting purposes.

[m-adami]

It would be indeed great to have such logging as for it's otherwise unclear who accesses a certain key.

[jimmyca15]

Indeed, it could be valuable. Introducing user identifiable information anywhere needs some consideration to respect data privacy. As such, I am inclined to say that the auditing table should be the sole place where such identifying information is held, by design, and perhaps a way to link http request to audit entries if desired.

@zhenlan @drago-draganov for additional thoughts.

[maskati]

My understanding is that AACAudit is for auditing configuration updates, while AACHttpRequest is a log of all inbound requests including configuration reads. Typically service request logs of Azure AD (Microsoft Entra ID 🙂) authenticated requests include the AAD principal object identifier (GUID), which is not in itself personally identifiable information but a pseudonym mapping to the principal.

[microsoft-saya]

The AACAudit and AACHttpRequest log tables both have the RequestId column which can be used for correlation.

[zhenlan]

Agreed. I do see the value of including user identity in the HttpRequest logs. However, the user identity (even the hashed/pseudo-ones) is considered as personally identifiable information (PII). So, as Jimmy pointed out, we must navigate through the data privacy requirements. Thanks for the feedback. We will share when we have any updates.

[maskati]

@zhenlan please also discuss with other product teams that include identity in request logs which might help in navigating privacy requirements. Some examples:

• Azure Storage Blob request logs in StorageBlobLogs includes RequesterObjectId, which is the AAD object ID of the requesting principal.
• Log Analytics workspace query logs in LAQueryLogs includes AADObjectId, which is the AAD object ID of the requesting principal.
• Key Vault uses common schema which includes an identity property containing claims regarding the requesting principal, including ...objectidentifier which is the AAD object ID of the requesting principal

[microsoft-saya]

@maskati I wanted to understand more about your need for adding the caller identity details to the http request logs. Could you please explain your use case further? Also, from the examples you stated, only the Azure Storage team has the caller identity in their resource logs. The Log analytics and Key Vault team have added the caller identities to their Audit logs, which follows the privacy design requirements.

[maskati]

Key Vault and Log Analytics include details of read operations in their audits while AAC doesn’t. If you want to understand who has read specific AAC entries you cannot at the moment achieve that.

[microsoft-saya]

@maskati would this be in the dev or prod environment?

[maskati]

@microsoft-saya auditing, including read audits, are most relevant in production environments.