Share via

Diagnostic setting for Azure audit logs

Nimish Salve 20 Reputation points
2024-09-16T12:37:52.77+00:00

I am trying to setup diagnostic setting to stream active directory audit logs to storage account using CLI / ARM template.
Screenshot 2024-09-16 at 5.28.59 PM

I tried below commands without success.

az monitor diagnostic-settings create \
  --name "AuditLogToStorage" \
  --resource "/providers/Microsoft.aadiam/directoryInsights" \
  --storage-account "<Storage accountId>" \
  --logs '[{"category": "AuditLogs", "enabled": true}]'

az monitor diagnostic-settings create \
  --name "AuditLogToStorage" \
  --resource "/providers/Microsoft.aadiam/directoryServices" \
  --storage-account "<Storage accountId>" \
  --logs '[{"category": "AuditLogs", "enabled": true}]'

It always fails with 

usage error: --resource ID | --resource NAME --resource-group NAME --resource-type TYPE [--resource-parent PARENT] [--resource-namespace NAMESPACE]

Tried below ARM template, it failed with 

The resource type '/' does not support diagnostic settings

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Insights/diagnosticSettings",
            "apiVersion": "2017-05-01-preview",
            "name": "AuditLogExport",
            "properties": {
                "logs": [
                    {
                        "category": "AuditLogs",
                        "enabled": true,
                        "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                        }
                    }
                ],
                "metrics": [],
                "storageAccountId": "<storageAccountId>"
            }
        }
    ]
}

Can someone help me setup diagnostic setting for Active directory Audit logs. I am interested in User and Group related events (User create / delete, group create/delete, add user to group etc).

Please suggest if there is any other way to achieve this.

Azure Monitor
Azure Monitor

An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments
Answer accepted by question author
  1. Stanislav Zhelyazkov 29,401 Reputation points MVP Volunteer Moderator
    2024-09-17T06:04:15.7933333+00:00

    Hi,

    I believe it is not possible to achieve this with Az CLI or PowerShell with the commands available as they target resources in resource group. You can achieve this via Bicep/ARM template though: Send Azure AD Diagnostic logs to Azure Monitor with Bicep. Note that you the actual diagnostic settings are deployed at tenant scope and you need to have permissions at tenant scope. The template itself can be deployed to resource group scope.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.