Monitoring and Observability Operational hygiene premium

Change Analysis

Change Analysis is an Azure troubleshooting view that shows when supported resources changed and who or what made the control-plane change. In everyday Azure work, it helps teams connect incidents to deployments, settings edits, identity changes, policy updates, or resource modifications instead of guessing from symptoms alone. You usually see it around Azure portal Change Analysis, Resource Graph queries, Diagnose and solve problems, Activity Log investigations, incident reviews, and post-deployment checks. The practical value is clarity: the name tells operators which resource, identity, data path, cost meter, or runtime behavior must be checked before production work changes.

Back to glossary browser Open Microsoft Learn source
Aliases
No aliases mapped yet
Difficulty
fundamentals
CLI mappings
4
Last verified
2026-05-12

Microsoft Learn

Change Analysis helps identify changes that may have affected application or resource behavior. Microsoft Learn places it in Analyze changes to your Azure resources; operators confirm scope, configuration, dependencies, and production impact. Use the linked source for exact Azure behavior.

Microsoft Learn: Analyze changes to your Azure resources2026-05-12

Technical context

Technically, Change Analysis appears as Resource Graph change data created from Azure Resource Manager control-plane operations and queried through portal experiences or Microsoft.ResourceGraph/resources. Engineers verify it through changed properties, timestamps, resource IDs, change actor information, operation sources, old and new values, subscription scope, and related Activity Log entries. Important configuration includes query scope, time range, resource type, filters, retention expectations, access permissions, and any export path for longer-term evidence. It often interacts with Azure Resource Graph, Azure Monitor, Activity Log, Service Health workflows, Logic Apps exports, incident tickets, and application troubleshooting dashboards.

Why it matters

Change Analysis matters because without change evidence, teams waste hours blaming application code while a platform setting, tag, identity, network rule, or deployment changed minutes earlier. The business impact is rarely abstract: users see slower systems, missing data, failed sign-ins, confusing reports, or unexpected cost when the setting is misunderstood. A solid glossary entry gives architects and operators the same language for design reviews, support handoffs, and audit evidence. It also helps teams decide what to check first, which metric or log proves the current state, who owns remediation, and when a change should be rolled back instead of patched live.

Where you see it

Signals, screens, and Azure surfaces where this term usually becomes operational.

Signal 01

In the Azure portal, Change Analysis appears near Azure Monitor change views, where operators confirm scope, owner, diagnostics, access, and production state before release or incident response.

Signal 02

In CLI, ARM, SDK, REST, or Bicep output, Change Analysis appears as Resource Graph change records, giving teams repeatable release and audit evidence during deployments and incidents.

Signal 03

In logs, metrics, tickets, or reviews, Change Analysis appears beside recent changes, incidents, owners, and timestamps, linking symptoms to security, reliability, cost, and performance decisions quickly.

When this becomes relevant

Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.

  • Organize resources so ownership, cost, access, and lifecycle are clear.
  • Apply guardrails before teams deploy production workloads.
  • Query inventory and compliance across many subscriptions.
  • Create repeatable deployments and cleanup workflows.

Real-world case studies

Different enterprise-style examples that show the term being used to hit measurable objectives.

Case study 01

Incident root cause discovery

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

Apex Payments, a financial services firm, needed faster root-cause analysis after a production API began rejecting checkout requests.

Business/Technical Objectives
  • Identify relevant Azure changes within 30 minutes
  • Separate platform drift from application defects
  • Preserve evidence for the incident review
  • Reduce customer-impacting rollback time
Solution Using Change Analysis

The operations lead opened Change Analysis and queried Resource Graph for changes around the checkout API, App Service, private endpoint, and Key Vault references. The team found a firewall rule update and a slot setting change that occurred 12 minutes before error rates rose. They correlated the changed properties with Activity Log entries and deployment pipeline timestamps, then attached the before-and-after values to the incident ticket. Engineers rolled back the network rule, validated healthy dependency calls, and updated the release gate to require Change Analysis review when similar symptoms appear. The runbook also captured dashboard links, owner contacts, rollback criteria, and monthly review steps so operators could verify the design without tribal knowledge during incidents or release windows. Evidence from each change was saved with the deployment record for audit, support, and future capacity planning.

Results & Business Impact
  • Root cause was identified in 19 minutes
  • Checkout errors returned to baseline after rollback
  • Post-incident evidence included exact changed properties
  • Future release checks added automated change queries
Key Takeaway for Glossary Readers

Change Analysis shortens incidents by connecting symptoms to recent control-plane changes before teams chase unrelated code paths.

Case study 02

Compliance drift investigation

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

Willow County IT, a public sector agency, needed to explain why several storage accounts no longer matched encryption and tagging standards.

Business/Technical Objectives
  • Find unauthorized configuration changes across subscriptions
  • Identify who changed each resource
  • Restore required tags and security settings
  • Prepare audit-ready evidence within one day
Solution Using Change Analysis

Cloud governance engineers used Change Analysis through Resource Graph to query recent storage account changes across the tenant. They filtered by resource type, property path, and time range, then joined results with Activity Log records. The investigation showed that a deployment template used by one project team removed required cost-center tags and altered a minimum TLS setting. The team redeployed the approved Bicep module, opened follow-up tasks for template correction, and exported the change records to the compliance workbook. Policy remediation was scheduled only after the root template defect was fixed. The rollout plan included before-and-after measurements, escalation contacts, exception rules, and a control review with finance, security, and application owners. That evidence made the improvement repeatable and gave support teams a clear baseline when later incidents raised similar symptoms.

Results & Business Impact
  • All affected resources were identified in one query set
  • Required tags and TLS settings were restored the same day
  • Audit evidence showed actor, timestamp, and changed properties
  • Template defects were corrected before remediation reran
Key Takeaway for Glossary Readers

Change Analysis turns configuration drift into traceable evidence that governance, platform, and project teams can act on.

Case study 03

Post-deployment quality gate

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

Northwind Health Apps, a healthcare software provider, needed to prove production deployments changed only approved resources.

Business/Technical Objectives
  • Verify approved changes after every deployment
  • Detect manual edits during release windows
  • Reduce false escalation to developers
  • Keep deployment evidence for regulated workloads
Solution Using Change Analysis

The platform team added a post-deployment quality gate that queried Change Analysis for the resource group containing App Service, Key Vault, SQL, and networking components. The release pipeline exported changed property paths, actors, and timestamps for the deployment window. Operators compared the results with the planned change list before closing the release ticket. When an unexpected private endpoint DNS setting appeared, the release manager paused further rollout, confirmed a manual portal edit by a support engineer, and reverted it before users were affected. The same evidence fed the monthly change-management report. Release evidence included configuration snapshots, CLI output, representative metrics, and ticket notes, giving operations a durable baseline for training, audits, and later optimization work. The team also defined when to scale back, rotate credentials, or open a vendor support case.

Results & Business Impact
  • Unexpected manual edits were caught before broad rollout
  • Release closure time improved by 35 percent
  • Developer escalations for platform drift fell by 44 percent
  • Auditors accepted Resource Graph change evidence
Key Takeaway for Glossary Readers

Change Analysis is not just for outages; it can prove whether a deployment stayed inside its approved blast radius.

Why use Azure CLI for this?

Use CLI, REST, SDK, or scripted queries for Change Analysis because incident responders need timestamped, queryable change evidence across subscriptions without relying on screenshots or portal memory and to avoid portal-only evidence during reviews.

CLI use cases

  • Query recent resource changes around the start time of a production incident.
  • Export change records into a post-incident review or compliance ticket.
  • Compare expected deployment changes with unexpected manual edits.

Before you run CLI

  • Confirm the active tenant, subscription, resource group, workspace, account, or region before running commands.
  • Use least-privileged access and avoid storing secrets, prompts, certificates, tokens, or personal data in command output.
  • Know whether the command is read-only, mutating, cost-impacting, security-impacting, or destructive before production use.

What output tells you

  • Output confirms whether the live Azure configuration exists at the expected scope and matches the approved design.
  • Returned IDs, settings, metrics, timestamps, or logs help separate configuration drift from application behavior.
  • Differences between expected and actual state create evidence for rollback, escalation, audit, or owner follow-up.

Mapped Azure CLI commands

Operational hygiene CLI commands

diagnostic
az resource list --query "[?tags.Owner==null].[name,type,resourceGroup]" --output table
az resourcediscoverManagement and Governance
read-only Microsoft docs
az monitor activity-log list --max-events 50 --output table
az monitor activity-logdiscoverManagement and Governance
read-only Microsoft docs
az advisor recommendation list --category Cost --output table
az advisor recommendationdiscoverManagement and Governance
read-only Microsoft docs
az group list --query "[?tags.Environment==null].[name,location]" --output table
az groupdiscoverManagement and Governance
read-only Microsoft docs

Architecture context

Change Analysis belongs in the observability architecture as the control-plane evidence layer for incidents and post-deployment reviews. It helps teams answer what changed, when it changed, and which identity or operation caused it across supported Azure resources. Experienced operators correlate Change Analysis records with Activity Log, deployment history, Resource Graph, metrics, alerts, and application traces before blaming code. It is especially useful in platform environments where policy, networking, identity, tags, diagnostics, or scaling settings can change outside the application repository. Architects should define who can query this evidence, how long it is retained, and how incident tickets capture the change record so rollback decisions are based on timestamps and resource IDs, not memory.

Security

Security for Change Analysis starts with understanding which identities, secrets, certificates, endpoints, data stores, or management-plane permissions it touches. Review who can view, change, or use it, and confirm that production access follows least privilege. Check whether private networking, firewall rules, RBAC, key vault storage, managed identity, audit logs, and data classification apply. Operators should avoid exposing tokens, connection strings, prompts, certificate material, or cost-sensitive business metadata in troubleshooting output. A secure design also documents emergency access, rotation responsibilities, and evidence retention so an incident response team can prove the current configuration without inventing access during an outage. Security reviewers should confirm least privilege, private access paths, and audit retention before approving production use.

Cost

Cost for Change Analysis comes from the resources, transactions, data movement, retention, compute, capacity, tokens, or operational labor it influences. Some costs are direct meters, while others appear as extra storage, higher throughput, duplicate processing, export jobs, monitoring ingestion, or engineering time. Review budgets, cost allocation, tags, usage metrics, and SKU limits before scaling or enabling new behavior. The safest approach is to define the owner, expected usage pattern, and alert thresholds up front. That way finance conversations use evidence instead of opinions after the bill arrives. Finance and engineering teams should agree which metric proves usage and which scope owns remediation.

Reliability

Reliability for Change Analysis depends on whether the design behaves predictably during scale events, regional incidents, expired credentials, throttling, schema changes, or downstream failures. Identify the dependency chain, expected failure mode, and recovery target before production use. Monitor the signals that show backlog, lag, retries, health state, capacity saturation, authentication failures, or stale data. Test restore, rotation, failover, replay, or rollback paths where they apply. Operators need a runbook that separates platform configuration problems from application defects and says which evidence is required before escalating to networking, identity, database, or product teams. Runbooks should state the first observable symptom, safe rollback path, and owner escalation route.

Performance

Performance for Change Analysis is about how quickly and consistently the related workload can complete useful work. Measure the right signals: latency, throughput, backlog, request units, token volume, CPU, memory, bytes scanned, file counts, retries, or throttled operations depending on the service. Avoid tuning one setting in isolation when partitions, replicas, keys, network paths, identity calls, downstream services, or client behavior may be the real bottleneck. Performance reviews should compare expected workload shape with live metrics and include a safe test plan before increasing capacity or changing production configuration. Load tests should compare expected throughput, latency, queue depth, and saturation signals against live limits.

Operations

Operationally, Change Analysis needs ownership, naming, tagging, change records, and repeatable verification. Teams should know where it appears in the portal, which commands or queries prove state, which dashboards show health, and which settings are safe to change during business hours. Keep examples, approvals, and rollback notes with the service runbook rather than in personal notes. For production changes, capture current configuration before and after the work, including resource IDs, region, owner, timestamp, and related deployment. Good operations turn the term into a checklist that first responders can follow under pressure. Operational evidence should include timestamps, resource IDs, owner names, and links to the approved change record.

Common mistakes

  • Assuming Change Analysis observes every data-plane operation or application file change.
  • Waiting beyond retention before exporting evidence needed for audit or RCA.
  • Reviewing metrics only and missing a resource configuration change that caused the symptom.