Share via

Strange auto-generated resources appeared in Azure

Yashas Manjunath 96 Reputation points
2023-05-11T09:10:40.96+00:00

This week in one of the tenants we manage something strange happened. On Tuesday on 5:40 am (CET) suddenly all subscriptions got resources deployed. The resource groups which were deployed are attached as a screenshot. One of the resource groups is attached as a screenshot too.

User's image

So a new Log Analytics workspace and a bunch of alerts were deployed (1 for each subscription). Looking into the activity log I can see that this was done using the user let's say "John".

Looking into the Sign-In-Logs of "John" I can see a sign-in to "Microsoft Azure" with MFA enabled and everything looks fine (no suspicious location or something like that). This was authenticated or accessed through the IPHONE.

I trust "John" and he claims that he was asleep at this time (which sounds logical :-)).

Does anybody know what Azure tooling causes resources deployed like this?

User's image

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,353 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,480 questions
Accepted answer
  1. Andrew Blumhardt 9,961 Reputation points Microsoft Employee
    2023-05-11T12:22:27.3766667+00:00

    These resource group names are unusual. I would look at the activity logs at the subscription level for any other unusual activity from the user. Play it safe and reset MFA. Consider time zone differences, this is reported in UTC. I suspect he may have created/deployed automation that is running under his credentials...though the MFA part is unusual. Take a closer look at these RGs and any resources inside. Look for any logic apps, functions, or automation runbooks created by the user.

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 30,276 Reputation points Microsoft Employee
    2023-05-11T11:27:25.91+00:00

    Hi @Yashas Manjunath ,

    Thanks for reaching out.

    I can understand your concern.

    Did you check the audit logs and see any activity related to deployments there?

    There is a possibility that the resources were deployed using Azure Resource Manager (ARM) templates which can be used to deploy resources in a consistent and repeatable way. It is also possible that the resources were deployed using Azure DevOps which can also automate the deployment of resources based on code changes.

    Can you check if there are any Logic Apps, Function app configured in your environment that might be deploying resources?

    Thanks,

    Shweta

    1 person found this answer helpful.
    0 comments
  2. Omar Teodoro Oropeza 0 Reputation points
    2025-05-06T02:35:04.9166667+00:00

    I think the source of these configurations is the Azure mobile app:

    https://learn.microsoft.com/en-us/azure/azure-portal/mobile-app/alerts-notifications

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.