Built-in policies for Azure Monitor

Policies and policy initiatives provide a simple method to enable logging at-scale via diagnostics settings for Azure Monitor. Using a policy initiative, you can turn on audit logging for all supported resources in your Azure environment.

Enable resource logs to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. Assign policies to enable resource logs and to send them to destinations according to your needs. Send logs to event hubs for third-party SIEM systems, enabling continuous security operations. Send logs to storage accounts for longer term storage or the fulfillment of regulatory compliance.

A set of built-in policies and initiatives exists to direct resource logs to Log Analytics Workspaces, Event Hubs, and Storage Accounts. The policies enable audit logging, sending logs belonging to the audit log category group to an event hub, Log Analytics workspace or Storage Account. The policies' effect is DeployIfNotExists, which deploys the policy as a default if there aren't other settings defined.

Deploy policies.

Deploy the policies and initiatives using the Portal, CLI, PowerShell, or Azure Resource Management templates

The following steps show how to apply the policy to send audit logs to for key vaults to a log analytics workspace.

  1. From the Policy page, select Definitions.

  2. Select your scope. You can apply a policy to the entire subscription, a resource group, or an individual resource.

  3. From the Definition type dropdown, select Policy.

  4. Select Monitoring from the Category dropdown

  5. Enter keyvault in the Search field.

  6. Select the Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics policy, A screenshot of the policy definitions page.

  7. From the policy definition page, select Assign

  8. Select the Parameters tab.

  9. Select the Log Analytics Workspace that you want to send the audit logs to.

  10. Select the Remediation tab. A screenshot of the assign policy page, parameters tab.

  11. On the remediation tab, select the keyvault policy from the Policy to remediate dropdown.

  12. Select the Create a Managed Identity checkbox.

  13. Under Type of Managed Identity, select System assigned Managed Identity.

  14. Select Review + create, then select Create . A screenshot of the assign policy page, remediation tab.

The policy is visible in the resources' diagnostic settings after approximately 30 minutes.

Remediation tasks

Policies are applied to new resources when they're created. To apply a policy to existing resources, create a remediation task. Remediation tasks bring resources into compliance with a policy.

Remediation tasks act for specific policies. For initiatives that contain multiple policies, create a remediation task for each policy in the initiative where you have resources that you want to bring into compliance.

Define remediation tasks when you first assign the policy, or at any stage after assignment.

To create a remediation task for policies during the policy assignment, select the Remediation tab on Assign policy page and select the Create remediation task checkbox.

To create a remediation task after the policy has been assigned, select your assigned policy from the list on the Policy Assignments page.

A screenshot showing the policy remediation page.

Select Remediate. Track the status of your remediation task in the Remediation tasks tab of the Policy Remediation page.

A screenshot showing the new remediation task page.

For more information on remediation tasks, see Remediate noncompliant resources

Assign initiatives

Initiatives are collections of policies. There are three initiatives for Azure Monitor Diagnostics settings:

In this example, we assign an initiative for sending audit logs to a Log Analytics workspace.

  1. From the policy Definitions page, select your scope.

  2. Select Initiative in the Definition type dropdown.

  3. Select Monitoring in the Category dropdown.

  4. Enter audit in the Search field.

  5. Select thee Enable audit category group resource logging for supported resources to Log Analytics initiative.

  6. On the following page, select Assign A screenshot showing the initiatives definitions page.

  7. On the Basics tab of the Assign initiative page, select a Scope that you want the initiative to apply to.

  8. Enter a name in the Assignment name field.

  9. Select the Parameters tab. A screenshot showing the assign initiatives basics tab.

    The Parameters contains the parameters defined in the policy. In this case, we need to select the Log Analytics workspace that we want to send the logs to. For more information in the individual parameters for each policy, see Policy-specific parameters.

  10. Select the Log Analytics workspace to send your audit logs to.

  11. Select Review + create then Create A screenshot showing the assign initiatives parameters tab.

To verify that your policy or initiative assignment is working, create a resource in the subscription or resource group scope that you defined in your policy assignment.

After 10 minutes, select the Diagnostics settings page for your resource. Your diagnostic setting appears in the list with the default name setByPolicy-LogAnalytics and the workspace name that you configured in the policy.

A screenshot showing the Diagnostics setting page for a resource.

Change the default name in the Parameters tab of the Assign initiative or policy page by unselecting the Only show parameters that need input or review checkbox.

A screenshot showing the edit-initiative-assignment page with the checkbox unselected.

Common parameters

The following table describes the common parameters for each set of policies.

Parameter Description Valid Values Default
effect Enable or disable the execution of the policy DeployIfNotExists,
diagnosticSettingName Diagnostic Setting Name setByPolicy-LogAnalytics
categoryGroup Diagnostic category group none,

Policy-specific parameters

Log Analytics policy parameters

This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace.

Parameter Description Valid Values Default
resourceLocationList Resource Location List to send logs to nearby Log Analytics.
"*" selects all locations
Supported locations *
logAnalytics Log Analytics Workspace

Event Hubs policy parameters

This policy deploys a diagnostic setting using a category group to route logs to an event hub.

Parameter Description Valid Values Default
resourceLocation Resource Location must be the same location as the event hub Namespace Supported locations
eventHubAuthorizationRuleId Event hub Authorization Rule ID. The authorization rule is at event hub namespace level. For example, /subscriptions/{subscription ID}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName Event hub name Monitoring

Storage Accounts policy parameters

This policy deploys a diagnostic setting using a category group to route logs to a Storage Account.

Parameter Description Valid Values Default
resourceLocation Resource Location must be in the same location as the Storage Account Supported locations
storageAccount Storage Account resourceId

Supported Resources

Built-in Audit logs policies for Log Analytics workspaces, Event Hubs, and Storage Accounts exist for the following resources:

  • microsoft.agfoodplatform/farmbeats
  • microsoft.apimanagement/service
  • microsoft.appconfiguration/configurationstores
  • microsoft.attestation/attestationproviders
  • microsoft.automation/automationaccounts
  • microsoft.avs/privateclouds
  • microsoft.cache/redis
  • microsoft.cdn/profiles
  • microsoft.cognitiveservices/accounts
  • microsoft.containerregistry/registries
  • microsoft.devices/iothubs
  • microsoft.eventgrid/topics
  • microsoft.eventgrid/domains
  • microsoft.eventgrid/partnernamespaces
  • microsoft.eventhub/namespaces
  • microsoft.keyvault/vaults
  • microsoft.keyvault/managedhsms
  • microsoft.machinelearningservices/workspaces
  • microsoft.media/mediaservices
  • microsoft.media/videoanalyzers
  • microsoft.netapp/netappaccounts/capacitypools/volumes
  • microsoft.network/publicipaddresses
  • microsoft.network/virtualnetworkgateways
  • microsoft.network/p2svpngateways
  • microsoft.network/frontdoors
  • microsoft.network/bastionhosts
  • microsoft.operationalinsights/workspaces
  • microsoft.purview/accounts
  • microsoft.servicebus/namespaces
  • microsoft.signalrservice/signalr
  • microsoft.signalrservice/webpubsub
  • microsoft.sql/servers/databases
  • microsoft.sql/managedinstances

Next Steps