Share via

Enable Azure Policy to Automatically Configure Log Analytics and VM Insights Across Subscriptions via Management Group Scope

Sree Aravind M 40 Reputation points
2026-04-24T05:56:16.4766667+00:00

We are building a multi-cloud FinOps application where we collect performance and cost metrics from Azure resources. Currently, we are programmatically enabling diagnostic settings and monitoring configurations using APIs for specific resource types.

Current Implementation (API-based approach)

We are enabling Log Analytics workspace integration for the following Azure resource types using APIs:

Microsoft.Web/serverFarms,Microsoft.DBforMySQL/flexibleServers,Microsoft.DBforPostgreSQL/flexibleServers,Microsoft.Sql/servers/elasticPools,Microsoft.Sql/servers/databases

Additionally, for Virtual Machines, we are enabling monitoring (including VM Insights / performance metrics) via API.

New Requirement (Policy-based approach)

We want to transition from API-based configuration to a centralized Azure Policy-driven approach.

Scenario 1: Log Analytics Workspace Enablement via Policy

We are creating a Management Group (not resource group) and moving subscriptions under it.

We want to apply Azure Policies at the Management Group scope to:

Automatically enable diagnostic settings for all supported resource types.

Route logs and metrics to a specific Log Analytics Workspace (Workspace ID).

Ensure compliance for:

Existing resources (retroactive enablement)

Newly created resources (automatic enforcement)

We are looking for:

Built-in or recommended Azure Policies for this use case

Guidance on assigning policies at Management Group level

Whether a single policy can cover multiple resource types or if separate policies are required

Azure Policy
Azure Policy

An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bharath Y P 8,850 Reputation points Microsoft External Staff Moderator
    2026-04-24T06:30:08.54+00:00

    Hello Sree, it makes total sense to move from “one-off” API calls to a centralized, policy-driven model—especially when you have multiple subscriptions under a management group. Here’s a high-level approach you can take for both diagnostics (logs & metrics) and VM Insights:

    Steps to create an Azure Policy to enable Diagnostic Settings for the following resource types at the subscription scope:"

    Resources:

    • Microsoft.Web/serverFarms
    • Microsoft.DBforMySQL/flexibleServers
    • Microsoft.DBforPostgreSQL/flexibleServers
    • Microsoft.Sql/servers/databases

    Once the resources are created (or if they are already present), follow the steps below for each resource:"

    1. Navigate to Azure Policy > Definitions > + Policy Definition User's image
    2. Set the Definition location to your subscription
    3. Paste the provided JSON into the Policy Rule editor
    4. Enter the required details such as Display Name, Description, and set the Category to Monitoring
    5. Add the appropriate Policy Rule JSON for each resource type as provided below
    6. Click Save User's image

    After completing the above steps, proceed to create and assign the Azure Policy at the subscription scope as outlined below:"

    1. After clicking Save, the policy definition will be validated and the newly created definition will open.
    2. Click on Assign Policy. User's image
    3. Select the appropriate Scope and fill in the remaining required fields. Ensure that Policy Enforcement is enabled. User's image
      1. Click Next → In the Parameters tab, provide the Log Analytics Workspace Resource ID → Click Next.
      2. Under Remediation, select Create a remediation task and enable System-assigned managed identity.
      3. Click Review + Create.

    Required Role Assignments:

    1. The managed identity created for the policy assignment must have the following roles:
      • Monitoring Contributor (to configure diagnostic settings)
      • Log Analytics Contributor (to send data to the workspace)
      To verify role assignments:
      • Navigate to Subscriptions → Select your subscription
        • Go to Access Control (IAM) → Role Assignments tab
          • Filter by Type = Service Principal
            • Search using the policy assignment name or principal ID
              • Confirm that both required roles are assigned

    Note: These steps apply to all specified resource types when creating custom policies to enable diagnostic settings.

    Hope this helps! please feel free to reach out if you have any further questions. Thanks

    Was this answer helpful?

  2. Q&A Assist
    2026-04-24T05:57:02.62+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    For Log Analytics and VM insights enablement at management group scope, use Azure Policy initiatives with either built-in or custom diagnostic-settings policies and assign them at the management group level.

    1. Built-in vs custom policies for diagnostic settings
    • Built-in diagnostic policies exist per resource type and destination (Log Analytics, Storage, Event Hub). Examples in the Monitoring category include policies such as:
      • “Enable logging by category group for microsoft.dbformysql/flexibleservers to Log Analytics”
      • “Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Log Analytics”
    • These built-ins are per resource type. A single built-in policy does not cover multiple resource types. For each resource type (App Service plans, SQL databases, MySQL/PostgreSQL flexible servers, etc.), a separate policy definition is required.
    • If a built-in does not exist for a specific resource type, create a custom policy definition that deploys a diagnostic setting to your Log Analytics workspace. The documentation shows an example for SQL databases:
      • PowerShell: 
            New-AzPolicyDefinition -name "Deploy Diagnostic Settings for SQL Server database to Log Analytics workspace" \
      -policy .\Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.rules.json \
      -parameter .\Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.parameters.json \
      -mode All -Metadata '{"category":"Monitoring"}'
      • Azure CLI: 
            az policy definition create \
      --name 'deploy-diag-setting-sql-database--workspace' \
      --display-name 'Deploy Diagnostic Settings for SQL Server database to Log Analytics workspace' \
      --rules 'Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\\azurepolicy.rules.json' \
      --params 'Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\\azurepolicy.parameters.json' \
      --subscription 'AzureMonitor_Docs' \
      --mode All
    1. Use an initiative to cover multiple resource types
    • A single policy cannot cover multiple resource types, but a single initiative can.
    • Create an initiative that includes:
      • All built-in diagnostic-setting policies for each resource type you need (e.g., MySQL flexible servers, PostgreSQL flexible servers, others in the Monitoring category).
      • Any custom diagnostic-setting policies you created (e.g., for App Service plans, SQL elastic pools, etc.).
    • Recommendations for the initiative:
      • Set Category to Monitoring so it’s grouped with related policies.
      • Use initiative-level parameters for shared settings such as Log Analytics workspace ID and (if applicable) Event Hub details. This allows specifying the workspace once for all policies in the initiative and changing it centrally later.
    1. Assigning at management group scope
    • To assign at management group scope using built-in policies/initiatives from the Azure portal:
      1. Go to Policy → Definitions.
      2. Filter Category = Monitoring and Definition type = Initiative or Policy.
      3. For initiatives, search for audit or allLogs and select the initiative for your destination; for individual policies, search by resource type and destination.
      4. On the selected initiative/policy pane, select Assign initiative.
      5. On the Basics tab, set Scope to the management group that contains your subscriptions. The initiative/policy will apply to all resources in that scope (with optional exclusions and resource selectors if needed).
      6. On the Parameters tab, select the Log Analytics workspace (and other destination parameters) that all policies in the initiative should use.
      7. On the Remediation tab, select Create a remediation task and ensure a system-assigned managed identity is created. This ensures existing resources are brought into compliance.
      8. Select Review + create → Create.
    • For custom initiatives (e.g., your own diagnostic-setting policies):
      • Create the initiative (with Category = Monitoring) and add all relevant policy definitions.
      • Use initiative parameters for workspace and other shared values.
      • Then assign the initiative to the management group as above.
    1. Ensuring coverage for existing and new resources
    • New resources:
      • Once the initiative is assigned with enforcement enabled, any new resource of a covered type created in the management group scope will be evaluated and, with DeployIfNotExists policies, automatically configured with diagnostic settings to the specified Log Analytics workspace.
    • Existing resources:
      • Create a remediation task when assigning the initiative. This deploys diagnostic settings to existing resources that are currently noncompliant.
      • The documentation explicitly notes that remediation tasks are required to apply diagnostic settings to already-created resources.
    1. VM insights and VM monitoring via policy
    • For VM insights, use the VM insights policy initiatives and assign them at management group, subscription, or resource group scope:
      • In the Azure portal, go to Policy → Assignments → Assign initiative.
      • On Basics, set Scope to the management group.
      • Select one of the VM insights initiatives as the Initiative definition.
      • Configure parameters (e.g., Log Analytics workspace) and remediation.
    • After assignment, compliance can be reviewed via the VM insights policy coverage view and Policy compliance views. Compliance state indicates whether agents (Azure Monitor Agent or Log Analytics agent and Dependency agent) are deployed to all VMs in scope.
    1. Compliance and monitoring
    • Use Policy → Compliance to review initiative compliance at management group or subscription level. Noncompliant resources indicate where diagnostic settings or agents are missing and may need remediation.
    • For VM insights specifically, use Monitor → Insights → Virtual machines → Other onboarding options → Enable using policy to view Azure Monitor for VMs Policy Coverage, including:
      • Scope (management group or subscription)
      • Total VMs
      • Assignment coverage
      • Compliance state

    Summary

    • Separate policy definitions are required per resource type; a single policy cannot cover all resource types.
    • Use a single Monitoring-category initiative that aggregates all relevant diagnostic-setting policies (built-in and custom) and VM insights initiatives.
    • Assign the initiative at management group scope with initiative-level parameters for the Log Analytics workspace and create remediation tasks to cover both existing and new resources.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.