Using Azure policy, can we deny resource creation if diagnostic setting is not enabled?

Nav Pat 0 Reputation points
2023-03-17T10:05:32.6966667+00:00

Using Azure policy, can we deny resource creation if diagnostic setting is not enabled?

Note: Some of the resource can be created with diagnostics settings, however can be added to diagnostic settings later.

Excluding resources like:

"notIn": [

                  "microsoft.security/assessmentmetadata",

                  "microsoft.network/networksecuritygroups/securityrules",

                  "microsoft.storage/storageaccounts/queueservices/queues",

                  "microsoft.operationalinsights/workspaces/tables",

                  "microsoft.machinelearningservices/workspaces/jobs",

                  "microsoft.authorization/rolemanagementpolicies",

                  "microsoft.apimanagement/service/apis/operations",

                  "microsoft.apimanagement/service/apis/operations/tags",

                  "microsoft.compute/disks",

                  "microsoft.compute/virtualmachines/extensions",

                  "microsoft.authorization/roleassignments",

                  "microsoft.storage/storageaccounts/tableservices/tables",

                  "microsoft.insights/components/proactivedetectionconfigs",

                  "microsoft.network/routetables/routes",

                  "microsoft.machinelearningservices/workspaces/environments/versions",

                  "microsoft.sql/servers/databases/advisors",

                  "microsoft.security/policies",

                  "microsoft.resources/subscriptions/resourcegroups",

                  "microsoft.authorization/roledefinitions",

                  "microsoft.apimanagement/service/apis/operations/policies",

                  "microsoft.compute/snapshots",

                  "microsoft.datafactory/factories/pipelines",

                  "microsoft.datafactory/factories/datasets",

                  "microsoft.network/virtualnetworks/subnets",

                  "microsoft.security/pricings"

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,782 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Andrew S 0 Reputation points
    2023-03-17T10:53:41.8466667+00:00

    On the one hand, Azure Policy's README indicates Microsoft.Diagnostics/* is except from policy evaluation.

    https://github.com/Azure/azure-policy

    On the other, here is an audit policy for diagnostics.

    https://github.com/Azure/azure-policy/blob/bce512d2241f91eac086485b89cd1b4c44504009/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json#L6

    Could try a Deny effect.