I am trying to setup diagnostic setting to stream active directory audit logs to storage account using CLI / ARM template.
I tried below commands without success.
az monitor diagnostic-settings create \
--name "AuditLogToStorage" \
--resource "/providers/Microsoft.aadiam/directoryInsights" \
--storage-account "<Storage accountId>" \
--logs '[{"category": "AuditLogs", "enabled": true}]'
az monitor diagnostic-settings create \
--name "AuditLogToStorage" \
--resource "/providers/Microsoft.aadiam/directoryServices" \
--storage-account "<Storage accountId>" \
--logs '[{"category": "AuditLogs", "enabled": true}]'
It always fails with
usage error: --resource ID | --resource NAME --resource-group NAME --resource-type TYPE [--resource-parent PARENT] [--resource-namespace NAMESPACE]
Tried below ARM template, it failed with
The resource type '/' does not support diagnostic settings
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "AuditLogExport",
"properties": {
"logs": [
{
"category": "AuditLogs",
"enabled": true,
"retentionPolicy": {
"enabled": false,
"days": 0
}
}
],
"metrics": [],
"storageAccountId": "<storageAccountId>"
}
}
]
}
Can someone help me setup diagnostic setting for Active directory Audit logs. I am interested in User and Group related events (User create / delete, group create/delete, add user to group etc).
Please suggest if there is any other way to achieve this.