How to Monitor Outsourced Developers: Azure Monitor > Activity Log

How to Monitor Outsourced Developers: Azure Monitor > Activity Log

Use azure monitor outsourced developers activity log to export, alert on, and retain contractor Azure changes for ISO 27001 8.30 evidence.

LakeRidge Team
July 17, 2026
7 min read

Share:

Schedule Your Free Compliance Consultation

Feeling overwhelmed by compliance requirements? Not sure where to start? Get expert guidance tailored to your specific needs in just 15 minutes.

Personalized Compliance Roadmap
Expert Answers to Your Questions
No Obligation, 100% Free

CMMC Phase 2 begins November 10, 2026.

ISO 27001 control 8.30 requires the organization to direct, monitor, and review outsourced system-development activity, and azure monitor outsourced developers activity log can provide the Azure-side audit trail for that oversight. Configure Azure Activity Log export to a Log Analytics workspace, alert on high-risk contractor changes, retain the records, and perform a documented review so an assessor can see who changed Azure resources, when, and under what authorization.

How do you configure azure monitor outsourced developers activity log monitoring?

Azure Activity Log records control-plane events at the subscription level, including resource deployments, role assignments, network changes, policy changes, and administrative actions. For ISO 27001 8.30, configure it centrally for every subscription where an external development firm can build, deploy, administer, or troubleshoot workloads.

  1. Create a dedicated Log Analytics workspace for compliance monitoring. In the Azure portal, go to Log Analytics workspaces > Create. Select the subscription used for centralized security services, choose a restricted resource group such as rg-compliance-monitoring-prod, and create a workspace such as law-compliance-audit-prod. Select the region that meets your data-residency requirements.
  2. Limit workspace access before sending logs. Open the new workspace and select Access control (IAM) > Add > Add role assignment. Assign Log Analytics Reader to the compliance review group and Log Analytics Contributor only to the small security operations group that must create queries and alerts. Do not grant the outsourced developer group access to alter diagnostic settings or delete monitoring resources.
  3. Export the subscription Activity Log. In the Azure portal, search for and open Monitor > Activity Log. Set the Subscription filter to the subscription used by outsourced developers. Select Export Activity Logs, then select + Add diagnostic setting.
  4. Configure the diagnostic setting. Enter a clear setting name, such as send-activity-log-to-law-compliance-audit. Under Category details, select Administrative, Security, Policy, Alert, ServiceHealth, and Recommendation. Under Destination details, select Send to Log Analytics workspace, choose law-compliance-audit-prod, and select Save.
  5. Set retention for the AzureActivity table. Open Log Analytics workspaces > law-compliance-audit-prod > Tables. Locate AzureActivity, select the row, and choose Manage table. Set Interactive retention to 90 days and Total retention to 365 days, then save. A one-year retention period gives the compliance team sufficient evidence for periodic reviews and most audit cycles; use a longer period if contractual, regulatory, or customer requirements require it.
  6. Create a high-risk role-change alert. Go to Monitor > Alerts > + Create > Alert rule. Under Scope, select the monitored subscription. Under Condition, select See all signals and choose the Activity Log signal. Configure the event filter with Event category: Administrative and Operation name: Microsoft.Authorization/roleAssignments/write. This identifies creation or modification of Azure role assignments, including privileged access granted to an external developer.
  7. Route alerts to accountable employees. In the same alert rule, select or create an Action group. Use a name such as ag-security-compliance-escalation, add the security operations mailbox and the compliance officer’s monitored distribution list, and configure an email notification. Name the rule Alert-Contractor-Role-Assignment-Change, set Severity to Sev 2, set Enable rule upon creation to Yes, and select Create alert rule.
  8. Create a second alert for sensitive infrastructure changes. Repeat the alert-rule process for a relevant operation, such as Microsoft.Network/networkSecurityGroups/securityRules/write or Microsoft.KeyVault/vaults/secrets/write. Use the same action group, but tailor the alert name to the risk, for example Alert-Contractor-NSG-Rule-Change. Do not attempt to alert on every normal deployment; focus immediate alerts on changes that could create unauthorized access, weaken segmentation, or expose secrets.

A practical configuration is to use a separate Azure subscription or resource group for each development supplier and assign named Entra ID accounts rather than shared accounts. The Activity Log’s Caller field is substantially more useful during a review when it maps to an individual contractor identity and a documented supplier team.

What does this look like in a real outsourced-development workflow?

Consider a 650-person manufacturer that sells industrial control assemblies into enterprise supply chains. Its eight-person outsourced development partner maintains an Azure-hosted supplier portal, an API that exchanges shipment-status data with customers, and non-production integration environments. The company exports Activity Log records from the production and development subscriptions into law-compliance-audit-prod, but only permits the partner to deploy through approved Azure DevOps pipelines and to administer resources in the development subscription.

When a contractor changes a network security group rule for the supplier portal, the Alert-Contractor-NSG-Rule-Change notification goes to security and compliance. The compliance officer compares the caller, affected resource, and time of change with the approved change ticket and weekly supplier status report. That is a reviewable control activity, rather than merely a log collection exercise.

How do you verify that Azure Activity Log monitoring is working?

Verification should prove both that Azure is producing records and that the organization can find and review them. Perform this test after initial configuration, after major subscription changes, and at least annually as part of control testing.

  1. Use an authorized outsourced developer account to make a harmless, approved change in a non-production resource group. For example, open Resource groups > rg-dev-supplier > Tags > Add, add MonitoringTest = YYYY-MM-DD, and select Save.
  2. Open Monitor > Activity Log, filter on the relevant subscription and set Event category to Administrative. Confirm that the event shows the correct Initiated by identity, resource group, operation, timestamp, and status.
  3. Open Log Analytics workspaces > law-compliance-audit-prod > Logs. Run the following query to confirm that exported activity is arriving in the AzureActivity table.
AzureActivity
| where TimeGenerated > ago(24h)
| where Caller has "@supplier.example"
| project TimeGenerated, Caller, OperationNameValue, ActivityStatusValue,
          ResourceGroup, ResourceId, SubscriptionId
| order by TimeGenerated desc
  1. For the role-assignment alert, make a controlled test change using a temporary, least-privileged test assignment in a non-production subscription, then remove it immediately after validation. Confirm the alert appears under Monitor > Alerts > Alert history and that the action-group email reached the designated internal recipients.

For ongoing assurance, schedule a weekly review of Azure Monitor activity-log records related to supplier accounts and a monthly review of privileged changes and alert outcomes. Record the reviewer, review period, exceptions identified, ticket references, and closure date in the organization’s control-evidence repository.

What evidence should a compliance officer retain for an ISO 27001 assessor?

Evidence item Where to obtain it What it proves
Diagnostic-setting screenshot or configuration export Monitor > Activity Log > Export Activity Logs Administrative, Security, Policy, Alert, ServiceHealth, and Recommendation events are exported to the designated workspace.
AzureActivity retention screenshot Log Analytics workspace > Tables > AzureActivity > Manage table Monitoring records are retained for the approved period.
Alert-rule and action-group screenshots Monitor > Alerts > Alert rules High-risk outsourced-developer changes trigger internal notification.
Monthly query export in CSV format Log Analytics workspace > Logs > Export > Export to CSV The organization can identify supplier activity, affected resources, and outcomes for the review period.
Completed review record and linked change tickets Compliance evidence repository or GRC system Personnel actually reviewed outsourced-development activity and followed up on exceptions.

Keep evidence organized by review period and subscription. For an assessor, a configuration screenshot alone does not demonstrate compliance with ISO 27001 8.30; the review record is what demonstrates that the organization monitored and acted on the information collected.

Where does Azure Monitor Activity Log fall short for outsourced development?

Azure Activity Log is strong evidence of Azure control-plane activity, but it does not show source-code commits, pull-request approvals, secure coding review, testing results, contractual obligations, developer time tracking, or whether a change was authorized before it was deployed. It also does not provide complete visibility into application-level actions or every data-plane operation; for those, enable service-specific diagnostic logs where appropriate, such as Key Vault audit logs, Azure SQL auditing, Microsoft Entra sign-in logs, and application logs.

To fully satisfy the requirement that the organization “direct, monitor and review the activities related to outsourced system development,” pair Azure Monitor Activity Log monitoring for outsourced developers with supplier contract clauses, named-account access requirements, documented change approval, Azure DevOps or GitHub pull-request evidence, periodic access reviews, and a defined escalation process. The Activity Log establishes who changed Azure; the development governance process establishes whether the change was approved, reviewed, tested, and accepted.

Next step: configure the diagnostic setting in your highest-risk Azure subscription this week, then add the resulting screenshots and first monthly review record to your ISO 27001 8.30 evidence set.

 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 CMMC Level 1 Compliance App

CMMC Level 1 Compliance

Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
 NIST SP 800-171 & CMMC Level 2 Compliance App

NIST SP 800-171 & CMMC Level 2 Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ECC Compliance App

ECC Compliance

Become compliant, provide compliance services, or verify partner compliance with Essential Cybersecurity Controls (ECC – 2 : 2024) requirements.