I have some Azure SQL Database environments where the Activity Directory admin is set to an AAD group.
I need to set up auditing on Azure SQL Database environments so that all activity from the members of that group users is captured. I've got the basic Azure SQL Auditing set up and working but it generates way too much logging.
I think I need to use the PowerShell command Set-AzSqlServerAudit to filter it with the PredicateExpression option, but I cannot find any query that will filter for members of that group. Any similar approach would be acceptable (e.g. checking for any elevated permissions, whether in that group or not) as long as it includes that group.
Is it possible?
I found that I can use the following PredicateExpression to audit any admin activity on the database:
-PredicateExpression "[database_principal_name]= 'dbo'
I used the audit log definition at https://learn.microsoft.com/en-us/azure/azure-sql/database/audit-log-format?view=azuresql to see the list of available fields.