Azure CLI wrapped for seeing who created a VM or reset the password. Uses only Activity Log (control plane) logs.

who-vm.sh

#!/bin/bash

rgName=qu-rg

# comment out setting of the VM name to instead use the resource group (more results may be returned)
# you can also change the VM name here to focus on a different VM
###vmName=qu-sam-vm

if [ -z "${vmName}" ]; then
   # if vmName is not set, use the resource group
   RESOURCESCOPE="--resource-group $rgName"
   echo "Scope of scan is the $rgName resource group."
else
   vmId=$(az vm show --resource-group $rgName --name $vmName --query id -o tsv)
   RESOURCESCOPE="--resource-id $vmId"
   echo "Scope of scan is the $vmName VM."
fi

# echo "RESOURCESCOPE = $RESOURCESCOPE"

echo ""
echo "Activity Log (control plane) audit trail for creation of Windows Server VM resources"
echo ".... WHO CREATED VMs? ...."
az monitor activity-log list --max-events 10000 --offset 90d $RESOURCESCOPE --query "[?resourceType.value=='Microsoft.Compute/virtualMachines' && status.value=='Succeeded' && operationName.value=='Microsoft.Compute/virtualMachines/write'].{By:caller, At:eventTimestamp, Operation:operationName.localizedValue, Status:status.value, VM:resourceId}" -o table | sed 's|/subscriptions/.*/||' | sed 's/-\{20,\}$/------/g'

echo ""
echo "Activity Log (control plane) audit trail for invocation of VM extension \"enablevmAccess\" for password resets in Windows Server VMs"
echo ".... WHO RESET VM PASSWORDS? ...."
az monitor activity-log list --max-events 10000 --offset 90d $RESOURCESCOPE --query "[?ends_with(resourceId, 'enablevmAccess') && status.value=='Succeeded' && operationName.value == 'Microsoft.Compute/virtualMachines/extensions/write'].{By:caller, At:eventTimestamp, Operation:operationName.localizedValue, Status:status.value, VM:resourceId}" -o table | sed 's|/subscriptions/.*virtualMachines/||' | sed 's|/extensions/enablevmAccess||' | sed 's/-\{20,\}$/------/g'