This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I have been struggling to get this policy to fully check that blob, file, Queue, and Table services are properly configured with diagnostic settings. The end result would be to ensure each storage service has diagnostic logging being sent to a log analytics workspace for StorageRead, StorageWrite, and StorageDelete categories. To note this is using the newer method described in [https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-porta][1]l Also this could be an issue on the azure side, however it is unclear to me from this article if that is true or not. [https://github.com/azure/azure-policy#resource-type-not-correctly-published-by-resource-provider][2] The main issue I have been trying to solve is the logic to detect this across all blob services. The deployment logic works fine, its just the compliance check part to ensure blob, file, Queue, and Table services are enabled. Currently the below returns: (full policy attached as well) No related resources match the effect details in the policy definition. (Error code: Not Found) ["policyRule": { "if": { "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/diagnosticSettings", "existenceCondition": { "allOf": [ { "count": { "field": "Microsoft.Insights/diagnosticSettings/logs[]", "where": { "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/logs[].category", "in": [ "StorageRead", "StorageWrite", "StorageDelete" ] }, { "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", "equals": "[parameters('logsEnabled')]" } ] } }, "greater": 0 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", "equals": "[parameters('logAnalytics')]" } ] },][3] [1]: https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-porta [2]: https://github.com/azure/azure-policy#resource-type-not-correctly-published-by-resource-provider [3]: /api/attachments/85864-storage-logging-policy.txt?platform=QnA
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 39%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
anonymous user Welcome to Microsoft Q & A Community Forum. I speculate you might have checked built-in policy available to enable diagnostic settings for Azure Storage account. If not, I would suggest you check this built-in policy , if it fits your requirement. If not, kindly revert.
Reference Link : https://learn.microsoft.com/en-us/azure/storage/common/policy-reference?toc=/azure/storage/blobs/toc.json
That built-in policy has the same issues, which is why I was trying the above. It does not report compliance properly on storage accounts that are configured correctly with diagnostic logging when the storage account category: metric (transaction) logging is not configured and underlying storage services such as blob, file, table, and queue are configured for logging.
As an example I configure the policy assignment and set the Transaction parameter as false. Indicating the desired state for the storage account is to have metric categories not enabled for logging and only the log categories (StorageDelete, StorageWrite, StorageRead) enabled for blob, queue, table, and file services.
In this scenario the policy assignment still shows these resources as non-compliant, even though the state is as intended. If and only when you configure metrics (transaction) logging does the policy show compliant regardless of the configured state of the blob, queue, table, and file services.
anonymous user Apologies for late response. Yes you were right, seems there is some discrepancy when evaluating the ARM properties. I am checking this issue with internal team and will update you soon.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 94%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVJ%3C/text%3E%3C/svg%3E)
Could we please get an update on this issue. We need the functionality to monitor "blob" only diagnostic settings.
@Valley, Jack Currently, Product team is working on creating policies to overcome the issues noticed in the current policy. It will be out in few weeks.
Thank you for the prompt response. I believe we overcame this issue yesterday for monitoring only 'blob' diagnostic settings. The key was to have our "Mode" set to "ALL". We used type: "Microsoft.Storage/StorageAccounts/blobServices"
Thank you!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 59%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
For Microsoft.Storage/StorageAccounts/blobServices
The resourcename for the non compliant resource returned as Default, and as such the Remediation Template fails, how did you get the resourcename?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 15%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
@Varun Sharma did u get any update on this. We are trying to apply same policy but remediation template is keep on failing
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 5%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZ%3C/text%3E%3C/svg%3E)
Hello,
Is there an update to this? This seems to be an issue for quite a few people and I don't see a final resolution in this thread...
Thanks!
When you say you fixed this issue by using type: Microsoft.Storage/StorageAccounts/blobServices, which section of the policy template are you referring to where this type was used, as type is referenced a few times throughout.
Thanks!
@Zac Thanks for following up on this .New policies will be rolled out by end of this week (8/26/2022).
@SwathiDhanwada-MSFT Thanks! If you could update this article once the new policies are rolled out that would be awesome!
@Zac Below policies have been rolled out. Kindly check.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 7.000000000000001%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Looks like remediation is not working for new policies, getting:
Error code: InvalidDeployment
Reason: The deployment definition is invalid. Please see https://aka.ms/arm-deploy for usage details.
Yes I ended up creating custom policy with each different service type (blob, table, file, queue) to make it more manageable. The main change from the built-in policy is that the parameter "resourcename" in the deployment needs to be changed to refer to the full name "<storageAccountName>/default"
@Varun Sharma ,Can we have a 5 min call today to guide me. I am completely stuck herev.Need to be done by today
@Varun Sharma r u saying this one to change. ![200289-image.png][1] [1]: /api/attachments/200289-image.png?platform=QnA
Yes the deployment needs to be updated to fullname (<storageAccountName>/default) rather than the service name (default)
"resourceName": {
"value": "[field('fullname')]"
}
and update the name in the deployment from
"name": "[concat(parameters('resourceName'), '/default/', 'Microsoft.Insights/', parameters('diagnosticsSettingNameToUse'))]",
to
"name": "[concat(parameters('resourceName'),'/', 'Microsoft.Insights/', parameters('diagnosticsSettingNameToUse'))]",
here is an e.g. for blob and you can modify it to use for others
{
"properties": {
"displayName": "Configure diagnostic settings for blob services",
"policyType": "Custom",
"mode": "All",
"description": "Deploys the diagnostic settings for storage account blob services to stream resource logs to a Log Analytics workspace when any storage account blob service which is missing these diagnostic settings is created or updated.",
"metadata": {
"category": "Storage"
},
"parameters": {
"logAnalytics": {
"type": "String",
"metadata": {
"displayName": "Log Analytics workspace",
"description": "Specify the Log Analytics workspace the storage account should be connected to.",
"strongType": "omsWorkspace",
"assignPermissions": true
}
},
"diagnosticsSettingNameToUse": {
"type": "String",
"metadata": {
"displayName": "Setting name",
"description": "Name of the diagnostic settings."
},
"defaultValue": "storageAccountsDiagnosticsLogsToWorkspace"
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"StorageDelete": {
"type": "String",
"metadata": {
"displayName": "StorageDelete - Enabled",
"description": "Whether to stream StorageDelete logs to the Log Analytics workspace - True or False"
},
"allowedValues": [
"True",
"False"
],
"defaultValue": "True"
},
"StorageWrite": {
"type": "String",
"metadata": {
"displayName": "StorageWrite - Enabled",
"description": "Whether to stream StorageWrite logs to the Log Analytics workspace - True or False"
},
"allowedValues": [
"True",
"False"
],
"defaultValue": "True"
},
"StorageRead": {
"type": "String",
"metadata": {
"displayName": "StorageRead - Enabled",
"description": "Whether to stream StorageRead logs to the Log Analytics workspace - True or False"
},
"allowedValues": [
"True",
"False"
],
"defaultValue": "True"
},
"Transaction": {
"type": "String",
"metadata": {
"displayName": "Transaction - Enabled",
"description": "Whether to stream Transaction logs to the Log Analytics workspace - True or False"
},
"allowedValues": [
"True",
"False"
],
"defaultValue": "True"
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts/blobServices"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"existenceCondition": {
"allOf": [{
"anyOf": [{
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
"equals": "True"
},
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "True"
}
]
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"equals": "[parameters('logAnalytics')]"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"diagnosticsSettingNameToUse": {
"type": "string"
},
"resourceName": {
"type": "string"
},
"logAnalytics": {
"type": "string"
},
"location": {
"type": "string"
},
"Transaction": {
"type": "string"
},
"StorageRead": {
"type": "string"
},
"StorageWrite": {
"type": "string"
},
"StorageDelete": {
"type": "string"
}
},
"variables": {},
"resources": [{
"type": "Microsoft.Storage/storageAccounts/blobServices/providers/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('resourceName'),'/', 'Microsoft.Insights/', parameters('diagnosticsSettingNameToUse'))]",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
"workspaceId": "[parameters('logAnalytics')]",
"metrics": [{
"category": "Transaction",
"enabled": "[parameters('Transaction')]",
"retentionPolicy": {
"days": 0,
"enabled": false
},
"timeGrain": null
}],
"logs": [{
"category": "StorageRead",
"enabled": "[parameters('StorageRead')]"
},
{
"category": "StorageWrite",
"enabled": "[parameters('StorageWrite')]"
},
{
"category": "StorageDelete",
"enabled": "[parameters('StorageDelete')]"
}
]
}
}],
"outputs": {}
},
"parameters": {
"diagnosticsSettingNameToUse": {
"value": "[parameters('diagnosticsSettingNameToUse')]"
},
"logAnalytics": {
"value": "[parameters('logAnalytics')]"
},
"location": {
"value": "[field('location')]"
},
"resourceName": {
"value": "[field('fullname')]"
},
"Transaction": {
"value": "[parameters('Transaction')]"
},
"StorageDelete": {
"value": "[parameters('StorageDelete')]"
},
"StorageWrite": {
"value": "[parameters('StorageWrite')]"
},
"StorageRead": {
"value": "[parameters('StorageRead')]"
}
}
}
}
}
}
}
}
}