Share via

Diagnostic setting for Azure audit logs

Nimish Salve 20 Reputation points
2024-09-16T12:37:52.77+00:00

I am trying to setup diagnostic setting to stream active directory audit logs to storage account using CLI / ARM template.
Screenshot 2024-09-16 at 5.28.59 PM

I tried below commands without success.

az monitor diagnostic-settings create \
  --name "AuditLogToStorage" \
  --resource "/providers/Microsoft.aadiam/directoryInsights" \
  --storage-account "<Storage accountId>" \
  --logs '[{"category": "AuditLogs", "enabled": true}]'

az monitor diagnostic-settings create \
  --name "AuditLogToStorage" \
  --resource "/providers/Microsoft.aadiam/directoryServices" \
  --storage-account "<Storage accountId>" \
  --logs '[{"category": "AuditLogs", "enabled": true}]'

It always fails with 

usage error: --resource ID | --resource NAME --resource-group NAME --resource-type TYPE [--resource-parent PARENT] [--resource-namespace NAMESPACE]

Tried below ARM template, it failed with 

The resource type '/' does not support diagnostic settings

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Insights/diagnosticSettings",
            "apiVersion": "2017-05-01-preview",
            "name": "AuditLogExport",
            "properties": {
                "logs": [
                    {
                        "category": "AuditLogs",
                        "enabled": true,
                        "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                        }
                    }
                ],
                "metrics": [],
                "storageAccountId": "<storageAccountId>"
            }
        }
    ]
}

Can someone help me setup diagnostic setting for Active directory Audit logs. I am interested in User and Group related events (User create / delete, group create/delete, add user to group etc).

Please suggest if there is any other way to achieve this.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,285 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,578 questions
0 comments
Accepted answer
  1. Stanislav Zhelyazkov 24,376 Reputation points MVP
    2024-09-17T06:04:15.7933333+00:00

    Hi,

    I believe it is not possible to achieve this with Az CLI or PowerShell with the commands available as they target resources in resource group. You can achieve this via Bicep/ARM template though: Send Azure AD Diagnostic logs to Azure Monitor with Bicep. Note that you the actual diagnostic settings are deployed at tenant scope and you need to have permissions at tenant scope. The template itself can be deployed to resource group scope.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.