Policy Exemptions
Query
AzureActivity
| where OperationNameValue contains "MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS"
| where ActivityStatusValue == "Start" or ActivityStatusValue == "Success"
| extend resource_ = tostring(parse_json(Properties).resource)
| project Caller, CallerIpAddress, resource_Explanation
This query retrieves Azure activity logs where the operation name contains "MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS" and the activity status is either "Start" or "Success". It then extracts the resource information from the properties and displays the caller, caller IP address, and resource in the result.
Details

Rod Trent
Released: May 3, 2021
Tables
AzureActivity
Keywords
AzureActivityOperationNameValueMICROSOFT.AUTHORIZATION/POLICYEXEMPTIONSActivityStatusValueStartSuccessresource_CallerCallerIpAddress
Operators
wherecontains==orextendtostringparse_jsonproject