ISO 27001 control 8.30 requires the organization to direct, monitor, and review outsourced system-development activity, and azure monitor outsourced developers activity log can provide the Azure-side audit trail for that oversight. Configure Azure Activity Log export to a Log Analytics workspace, alert on high-risk contractor changes, retain the records, and perform a documented review so an assessor can see who changed Azure resources, when, and under what authorization.
How do you configure azure monitor outsourced developers activity log monitoring?
Azure Activity Log records control-plane events at the subscription level, including resource deployments, role assignments, network changes, policy changes, and administrative actions. For ISO 27001 8.30, configure it centrally for every subscription where an external development firm can build, deploy, administer, or troubleshoot workloads.
- Create a dedicated Log Analytics workspace for compliance monitoring. In the Azure portal, go to
Log Analytics workspaces>Create. Select the subscription used for centralized security services, choose a restricted resource group such asrg-compliance-monitoring-prod, and create a workspace such aslaw-compliance-audit-prod. Select the region that meets your data-residency requirements. - Limit workspace access before sending logs. Open the new workspace and select
Access control (IAM)>Add>Add role assignment. AssignLog Analytics Readerto the compliance review group andLog Analytics Contributoronly to the small security operations group that must create queries and alerts. Do not grant the outsourced developer group access to alter diagnostic settings or delete monitoring resources. - Export the subscription Activity Log. In the Azure portal, search for and open
Monitor>Activity Log. Set theSubscriptionfilter to the subscription used by outsourced developers. SelectExport Activity Logs, then select+ Add diagnostic setting. - Configure the diagnostic setting. Enter a clear setting name, such as
send-activity-log-to-law-compliance-audit. UnderCategory details, selectAdministrative,Security,Policy,Alert,ServiceHealth, andRecommendation. UnderDestination details, selectSend to Log Analytics workspace, chooselaw-compliance-audit-prod, and selectSave. - Set retention for the AzureActivity table. Open
Log Analytics workspaces>law-compliance-audit-prod>Tables. LocateAzureActivity, select the row, and chooseManage table. SetInteractive retentionto90 daysandTotal retentionto365 days, then save. A one-year retention period gives the compliance team sufficient evidence for periodic reviews and most audit cycles; use a longer period if contractual, regulatory, or customer requirements require it. - Create a high-risk role-change alert. Go to
Monitor>Alerts>+ Create>Alert rule. UnderScope, select the monitored subscription. UnderCondition, selectSee all signalsand choose theActivity Logsignal. Configure the event filter withEvent category: AdministrativeandOperation name: Microsoft.Authorization/roleAssignments/write. This identifies creation or modification of Azure role assignments, including privileged access granted to an external developer. - Route alerts to accountable employees. In the same alert rule, select or create an
Action group. Use a name such asag-security-compliance-escalation, add the security operations mailbox and the compliance officer’s monitored distribution list, and configure an email notification. Name the ruleAlert-Contractor-Role-Assignment-Change, setSeveritytoSev 2, setEnable rule upon creationtoYes, and selectCreate alert rule. - Create a second alert for sensitive infrastructure changes. Repeat the alert-rule process for a relevant operation, such as
Microsoft.Network/networkSecurityGroups/securityRules/writeorMicrosoft.KeyVault/vaults/secrets/write. Use the same action group, but tailor the alert name to the risk, for exampleAlert-Contractor-NSG-Rule-Change. Do not attempt to alert on every normal deployment; focus immediate alerts on changes that could create unauthorized access, weaken segmentation, or expose secrets.
A practical configuration is to use a separate Azure subscription or resource group for each development supplier and assign named Entra ID accounts rather than shared accounts. The Activity Log’s Caller field is substantially more useful during a review when it maps to an individual contractor identity and a documented supplier team.
What does this look like in a real outsourced-development workflow?
Consider a 650-person manufacturer that sells industrial control assemblies into enterprise supply chains. Its eight-person outsourced development partner maintains an Azure-hosted supplier portal, an API that exchanges shipment-status data with customers, and non-production integration environments. The company exports Activity Log records from the production and development subscriptions into law-compliance-audit-prod, but only permits the partner to deploy through approved Azure DevOps pipelines and to administer resources in the development subscription.
When a contractor changes a network security group rule for the supplier portal, the Alert-Contractor-NSG-Rule-Change notification goes to security and compliance. The compliance officer compares the caller, affected resource, and time of change with the approved change ticket and weekly supplier status report. That is a reviewable control activity, rather than merely a log collection exercise.
How do you verify that Azure Activity Log monitoring is working?
Verification should prove both that Azure is producing records and that the organization can find and review them. Perform this test after initial configuration, after major subscription changes, and at least annually as part of control testing.
- Use an authorized outsourced developer account to make a harmless, approved change in a non-production resource group. For example, open
Resource groups>rg-dev-supplier>Tags>Add, addMonitoringTest = YYYY-MM-DD, and selectSave. - Open
Monitor>Activity Log, filter on the relevant subscription and setEvent categorytoAdministrative. Confirm that the event shows the correctInitiated byidentity, resource group, operation, timestamp, and status. - Open
Log Analytics workspaces>law-compliance-audit-prod>Logs. Run the following query to confirm that exported activity is arriving in theAzureActivitytable.
AzureActivity
| where TimeGenerated > ago(24h)
| where Caller has "@supplier.example"
| project TimeGenerated, Caller, OperationNameValue, ActivityStatusValue,
ResourceGroup, ResourceId, SubscriptionId
| order by TimeGenerated desc
- For the role-assignment alert, make a controlled test change using a temporary, least-privileged test assignment in a non-production subscription, then remove it immediately after validation. Confirm the alert appears under
Monitor>Alerts>Alert historyand that the action-group email reached the designated internal recipients.
For ongoing assurance, schedule a weekly review of Azure Monitor activity-log records related to supplier accounts and a monthly review of privileged changes and alert outcomes. Record the reviewer, review period, exceptions identified, ticket references, and closure date in the organization’s control-evidence repository.
What evidence should a compliance officer retain for an ISO 27001 assessor?
| Evidence item | Where to obtain it | What it proves |
|---|---|---|
| Diagnostic-setting screenshot or configuration export | Monitor > Activity Log > Export Activity Logs |
Administrative, Security, Policy, Alert, ServiceHealth, and Recommendation events are exported to the designated workspace. |
| AzureActivity retention screenshot | Log Analytics workspace > Tables > AzureActivity > Manage table |
Monitoring records are retained for the approved period. |
| Alert-rule and action-group screenshots | Monitor > Alerts > Alert rules |
High-risk outsourced-developer changes trigger internal notification. |
| Monthly query export in CSV format | Log Analytics workspace > Logs > Export > Export to CSV |
The organization can identify supplier activity, affected resources, and outcomes for the review period. |
| Completed review record and linked change tickets | Compliance evidence repository or GRC system | Personnel actually reviewed outsourced-development activity and followed up on exceptions. |
Keep evidence organized by review period and subscription. For an assessor, a configuration screenshot alone does not demonstrate compliance with ISO 27001 8.30; the review record is what demonstrates that the organization monitored and acted on the information collected.
Where does Azure Monitor Activity Log fall short for outsourced development?
Azure Activity Log is strong evidence of Azure control-plane activity, but it does not show source-code commits, pull-request approvals, secure coding review, testing results, contractual obligations, developer time tracking, or whether a change was authorized before it was deployed. It also does not provide complete visibility into application-level actions or every data-plane operation; for those, enable service-specific diagnostic logs where appropriate, such as Key Vault audit logs, Azure SQL auditing, Microsoft Entra sign-in logs, and application logs.
To fully satisfy the requirement that the organization “direct, monitor and review the activities related to outsourced system development,” pair Azure Monitor Activity Log monitoring for outsourced developers with supplier contract clauses, named-account access requirements, documented change approval, Azure DevOps or GitHub pull-request evidence, periodic access reviews, and a defined escalation process. The Activity Log establishes who changed Azure; the development governance process establishes whether the change was approved, reviewed, tested, and accepted.
Next step: configure the diagnostic setting in your highest-risk Azure subscription this week, then add the resulting screenshots and first monthly review record to your ISO 27001 8.30 evidence set.