On the one hand, Azure Policy's README indicates Microsoft.Diagnostics/* is except from policy evaluation.
https://github.com/Azure/azure-policy
On the other, here is an audit policy for diagnostics.
Could try a Deny effect.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Using Azure policy, can we deny resource creation if diagnostic setting is not enabled?
Note: Some of the resource can be created with diagnostics settings, however can be added to diagnostic settings later.
Excluding resources like:
"notIn": [
"microsoft.security/assessmentmetadata",
"microsoft.network/networksecuritygroups/securityrules",
"microsoft.storage/storageaccounts/queueservices/queues",
"microsoft.operationalinsights/workspaces/tables",
"microsoft.machinelearningservices/workspaces/jobs",
"microsoft.authorization/rolemanagementpolicies",
"microsoft.apimanagement/service/apis/operations",
"microsoft.apimanagement/service/apis/operations/tags",
"microsoft.compute/disks",
"microsoft.compute/virtualmachines/extensions",
"microsoft.authorization/roleassignments",
"microsoft.storage/storageaccounts/tableservices/tables",
"microsoft.insights/components/proactivedetectionconfigs",
"microsoft.network/routetables/routes",
"microsoft.machinelearningservices/workspaces/environments/versions",
"microsoft.sql/servers/databases/advisors",
"microsoft.security/policies",
"microsoft.resources/subscriptions/resourcegroups",
"microsoft.authorization/roledefinitions",
"microsoft.apimanagement/service/apis/operations/policies",
"microsoft.compute/snapshots",
"microsoft.datafactory/factories/pipelines",
"microsoft.datafactory/factories/datasets",
"microsoft.network/virtualnetworks/subnets",
"microsoft.security/pricings"
On the one hand, Azure Policy's README indicates Microsoft.Diagnostics/* is except from policy evaluation.
https://github.com/Azure/azure-policy
On the other, here is an audit policy for diagnostics.
Could try a Deny effect.