Share via

Server DevOps Audit Settings - Create Or Update

Service:
SQL Database
API Version:
2023-08-01

Creates or updates a server's DevOps audit settings.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/devOpsAuditingSettings/Default?api-version=2023-08-01

URI Parameters

Name In Required Type Description
devOpsAuditingSettingsName
 path True

DevOpsAuditingSettingsName

resourceGroupName
 path True

string

The name of the resource group that contains the resource. You can obtain this value from the Azure Resource Manager API or the portal.
serverName
 path True

string

The name of the server.
subscriptionId
 path True

string

The subscription ID that identifies an Azure subscription.
api-version
 query True

string

The API version to use for the request.

Request Body

Name Required Type Description
properties.state True

BlobAuditingPolicyState

Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.
properties.isAzureMonitorTargetEnabled

boolean

Specifies whether DevOps audit events are sent to Azure Monitor. In order to send the events to Azure Monitor, specify 'State' as 'Enabled' and 'IsAzureMonitorTargetEnabled' as true.

When using REST API to configure DevOps audit, Diagnostic Settings with 'DevOpsOperationsAudit' diagnostic logs category on the master database should be also created.

Diagnostic Settings URI format: PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/master/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview

For more information, see Diagnostic Settings REST API or Diagnostic Settings PowerShell
properties.isManagedIdentityInUse

boolean

Specifies whether Managed Identity is used to access blob storage
properties.storageAccountAccessKey

string

Specifies the identifier key of the auditing storage account. If state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server system-assigned managed identity to access the storage. Prerequisites for using managed identity authentication:

  1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD).
  2. Grant SQL Server identity access to the storage account by adding 'Storage Blob Data Contributor' RBAC role to the server identity. For more information, see Auditing to storage using Managed Identity authentication
properties.storageAccountSubscriptionId

string (uuid)

Specifies the blob storage subscription Id.
properties.storageEndpoint

string

Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled is required.

Responses

Name Type Description
200 OK

ServerDevOpsAuditingSettings

Successfully updated the DevOps audit settings.
202 Accepted

Updating the audit DevOps settings is in progress.

Headers

Location: string
Other Status Codes

ErrorResponse

*** Error Responses: ***

  • 400 ManagedInstanceStoppingOrStopped - Conflicting operation submitted while instance is in stopping/stopped state

  • 400 ManagedInstanceStarting - Conflicting operation submitted while instance is in starting state

  • 400 InvalidServerDevOpsAuditSettingsCreateRequest - The create server DevOps audit policy request does not exist or has no properties object.

  • 400 DataSecurityInvalidUserSuppliedParameter - An invalid parameter value was provided by the client.

  • 400 InvalidServerDevOpsAuditSettingsName - Invalid server DevOps policy name.

  • 400 DevOpsAuditInvalidStorageAccountCredentials - The provided storage account or access key is not valid.

  • 404 ServerNotInSubscriptionResourceGroup - Specified server does not exist in the specified resource group and subscription.

  • 404 SubscriptionDoesNotHaveServer - The requested server was not found

  • 404 OperationIdNotFound - The operation with Id does not exist.

  • 409 ServerDevOpsAuditSettingsInProgress - Set server DevOps audit is already in progress.

  • 409 CannotCancelOperation - The management operation is in a state that cannot be cancelled.

  • 409 OperationCancelled - The operation has been cancelled by user.

  • 409 OperationInterrupted - The operation on the resource could not be completed because it was interrupted by another operation on the same resource.

  • 429 SubscriptionTooManyCreateUpdateRequests - Requests beyond max requests that can be processed by available resources.

  • 429 SubscriptionTooManyRequests - Requests beyond max requests that can be processed by available resources.

  • 500 OperationTimedOut - The operation timed out and automatically rolled back. Please retry the operation.

  • 503 TooManyRequests - Requests beyond max requests that can be processed by available resources.

Examples

Update a server's DevOps audit settings with all params
Update a server's DevOps audit settings with minimal input

Update a server's DevOps audit settings with all params

Sample request

PUT https://management.azure.com/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/devAuditTestRG/providers/Microsoft.Sql/servers/devOpsAuditTestSvr/devOpsAuditingSettings/Default?api-version=2023-08-01

{
  "properties": {
    "state": "Enabled",
    "storageAccountAccessKey": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "storageEndpoint": "https://mystorage.blob.core.windows.net",
    "storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000",
    "isAzureMonitorTargetEnabled": true
  }
}

Sample response

Status code:
200 
{
  "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/devAuditTestRG/providers/Microsoft.Sql/servers/devOpsAuditTestSvr/devOpsAuditingSettings/default",
  "name": "Default",
  "type": "Microsoft.Sql/servers/devOpsAuditingSettings",
  "properties": {
    "state": "Enabled",
    "storageEndpoint": "https://mystorage.blob.core.windows.net",
    "storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000",
    "isAzureMonitorTargetEnabled": true
  }
}
Status code:
202

Update a server's DevOps audit settings with minimal input

Sample request

PUT https://management.azure.com/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/devAuditTestRG/providers/Microsoft.Sql/servers/devOpsAuditTestSvr/devOpsAuditingSettings/Default?api-version=2023-08-01

{
  "properties": {
    "state": "Enabled",
    "storageAccountAccessKey": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "storageEndpoint": "https://mystorage.blob.core.windows.net"
  }
}

Sample response

Status code:
200 
{
  "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/devAuditTestRG/providers/Microsoft.Sql/servers/devOpsAuditTestSvr/devOpsAuditingSettings/default",
  "name": "Default",
  "type": "Microsoft.Sql/servers/devOpsAuditingSettings",
  "properties": {
    "state": "Enabled",
    "storageEndpoint": "https://mystorage.blob.core.windows.net",
    "storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000"
  }
}
Status code:
202

Definitions

Name Description
BlobAuditingPolicyState

Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.
createdByType

The type of identity that created the resource.
DevOpsAuditingSettingsName
ErrorAdditionalInfo

The resource management error additional info.
ErrorDetail

The error detail.
ErrorResponse

Error response
ServerDevOpsAuditingSettings

A server DevOps auditing settings.
systemData

Metadata pertaining to creation and last modification of the resource.

BlobAuditingPolicyState

Enumeration

Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.

Value Description
Disabled
Enabled

createdByType

Enumeration

The type of identity that created the resource.

Value Description
Application
Key
ManagedIdentity
User

DevOpsAuditingSettingsName

Enumeration
Value Description
Default

ErrorAdditionalInfo

Object

The resource management error additional info.

Name Type Description
info

object

The additional info.
type

string

The additional info type.

ErrorDetail

Object

The error detail.

Name Type Description
additionalInfo

ErrorAdditionalInfo[]

The error additional info.
code

string

The error code.
details

ErrorDetail[]

The error details.
message

string

The error message.
target

string

The error target.

ErrorResponse

Object

Error response

Name Type Description
error

ErrorDetail

The error object.

ServerDevOpsAuditingSettings

Object

A server DevOps auditing settings.

Name Type Description
id

string

Resource ID.
name

string

Resource name.
properties.isAzureMonitorTargetEnabled

boolean

Specifies whether DevOps audit events are sent to Azure Monitor. In order to send the events to Azure Monitor, specify 'State' as 'Enabled' and 'IsAzureMonitorTargetEnabled' as true.

When using REST API to configure DevOps audit, Diagnostic Settings with 'DevOpsOperationsAudit' diagnostic logs category on the master database should be also created.

Diagnostic Settings URI format: PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/master/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview

For more information, see Diagnostic Settings REST API or Diagnostic Settings PowerShell
properties.isManagedIdentityInUse

boolean

Specifies whether Managed Identity is used to access blob storage
properties.state

BlobAuditingPolicyState

Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.
properties.storageAccountAccessKey

string

Specifies the identifier key of the auditing storage account. If state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server system-assigned managed identity to access the storage. Prerequisites for using managed identity authentication:

  1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD).
  2. Grant SQL Server identity access to the storage account by adding 'Storage Blob Data Contributor' RBAC role to the server identity. For more information, see Auditing to storage using Managed Identity authentication
properties.storageAccountSubscriptionId

string (uuid)

Specifies the blob storage subscription Id.
properties.storageEndpoint

string

Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled is required.
systemData

systemData

SystemData of ServerDevOpsAuditSettingsResource.
type

string

Resource type.

systemData

Object

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string (date-time)

The timestamp of resource creation (UTC).
createdBy

string

The identity that created the resource.
createdByType

createdByType

The type of identity that created the resource.
lastModifiedAt

string (date-time)

The timestamp of resource last modification (UTC)
lastModifiedBy

string

The identity that last modified the resource.
lastModifiedByType

createdByType

The type of identity that last modified the resource.