Azure Policy built-in definitions for Azure Monitor
This page is an index of Azure Policy built-in policy definitions for Azure Monitor. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
Azure Monitor
| Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
|---|---|---|---|
| [Preview]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace | Protect your Azure Arc-enabled Linux machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. | DeployIfNotExists, Disabled | 1.0.0-preview |
| [Preview]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace | Protect your Azure Arc-enabled Windows machines with Microsoft Defender for Cloud capabilities, by installing Log Analytics agents that send data to a default Log Analytics workspace created by Microsoft Defender for Cloud. | DeployIfNotExists, Disabled | 1.1.0-preview |
| [Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | Configure system-assigned managed identity to virtual machines hosted in Azure that are supported by Azure Monitor and do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Azure Monitor assignments and must be added to machines before using any Azure Monitor extension. Target virtual machines must be in a supported location. | Modify, Disabled | 6.0.0-preview |
| [Preview]: Log Analytics Extension should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | AuditIfNotExists, Disabled | 2.0.1-preview |
| [Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines | This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1-preview |
| [Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines | This policy audits Windows Azure Arc machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1-preview |
| [Preview]: Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| [Preview]: Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.2-preview |
| Activity log should be retained for at least one year | This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). | AuditIfNotExists, Disabled | 1.0.0 |
| An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
| An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 3.0.0 |
| An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
| Application Insights components should block log ingestion and querying from public networks | Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Application Insights components should block non-Azure Active Directory based ingestion. | Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. | Deny, Audit, Disabled | 1.0.0 |
| Application Insights components with Private Link enabled should use Bring Your Own Storage accounts for profiler and debugger. | To support private link and customer-managed key policies, create your own storage account for profiler and debugger. Learn more in https://docs.microsoft.com/azure/azure-monitor/app/profiler-bring-your-own-storage | Deny, Audit, Disabled | 1.0.0 |
| Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | AuditIfNotExists | 2.0.1 |
| Azure Application Gateway should have Resource logs enabled | Enable Resource logs for Azure Application Gateway (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Front Door should have Resource logs enabled | Enable Resource logs for Azure Front Door (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Front Door Standard or Premium (Plus WAF) should have resource logs enabled | Enable Resource logs for Azure Front Door Standard or Premium (plus WAF) and stream to a Log Analytics workspace. Get detailed visibility into inbound web traffic and actions taken to mitigate attacks. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Log Search Alerts over Log Analytics workspaces should use customer-managed keys | Ensure that Azure Log Search Alerts are implementing customer-managed keys, by storing the query text using the storage account that the customer had provided for the queried Log Analytics workspace. For more information, visit https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | Audit, Disabled, Deny | 1.0.0 |
| Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption) | To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Monitor Logs clusters should be encrypted with customer-managed key | Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace | Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Azure Monitor Private Link Scope should block access to non private link resources | Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. | Audit, Deny, Disabled | 1.0.0 |
| Azure Monitor Private Link Scope should use private link | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Monitor Private Links Scope, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure Monitor should collect activity logs from all regions | This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. | AuditIfNotExists, Disabled | 2.0.0 |
| Azure Monitor solution 'Security and Audit' must be deployed | This policy ensures that Security and Audit is deployed. | AuditIfNotExists, Disabled | 1.0.0 |
| Azure subscriptions should have a log profile for Activity Log | This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. | AuditIfNotExists, Disabled | 1.0.0 |
| Configure Azure Activity logs to stream to specified Log Analytics workspace | Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Azure Application Insights components to disable public network access for log ingestion and querying | Disable components log ingestion and querying from public networks access to improve security. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights. | Modify, Disabled | 1.1.0 |
| Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying | Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. | Modify, Disabled | 1.1.0 |
| Configure Azure Monitor Private Link Scope to block access to non private link resources | Azure Private Link lets you connect your virtual networks to Azure resources through a private endpoint to an Azure Monitor Private Link scope (AMPLS). Private Link Access modes are set on your AMPLS to control whether ingestion and query requests from your networks can reach all resources, or only Private Link resources (to prevent data exfiltration). Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#private-link-access-modes-private-only-vs-open. | Modify, Disabled | 1.0.0 |
| Configure Azure Monitor Private Link Scope to use private DNS zones | Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Monitor private link scope. Learn more at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security#connect-to-a-private-endpoint. | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Azure Monitor Private Link Scopes with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Azure Monitor Private Link Scopes, you can reduce data leakage risks. Learn more about private links at: https://docs.microsoft.com/azure/azure-monitor/logs/private-link-security. | DeployIfNotExists, Disabled | 1.0.0 |
| Configure Dependency agent on Azure Arc enabled Linux servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | DeployIfNotExists, Disabled | 2.0.0 |
| Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | DeployIfNotExists, Disabled | 1.1.2 |
| Configure Dependency agent on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | DeployIfNotExists, Disabled | 2.0.0 |
| Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Dependency agent virtual machine extension with Azure Monitoring Agent settings. VM insights uses the Dependency agent to collect network metrics and discovered data about processes running on the machine and external process dependencies. See more - https://aka.ms/vminsightsdocs. | DeployIfNotExists, Disabled | 1.1.2 |
| Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | DeployIfNotExists, Disabled | 2.2.0 |
| Configure Linux Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Linux Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the region is supported. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 2.4.0 |
| Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 6.3.0 |
| Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 4.2.0 |
| Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 3.5.0 |
| Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 3.6.0 |
| Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Linux virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 4.2.0 |
| Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 3.5.0 |
| Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 3.6.0 |
| Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | DeployIfNotExists, Disabled | 2.1.1 |
| Configure Log Analytics extension on Azure Arc enabled Windows servers | Enable VM insights on servers and machines connected to Azure through Arc enabled servers by installing the Log Analytics virtual machine extension. VM insights uses the Log Analytics agent to collect the guest OS performance data, and provides insights into their performance. See more - https://aka.ms/vminsightsdocs. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | DeployIfNotExists, Disabled | 2.1.1 |
| Configure Log Analytics workspace and automation account to centralize logs and monitoring | Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking. | DeployIfNotExists, AuditIfNotExists, Disabled | 2.0.0 |
| Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations are updated over time as support is increased. | DeployIfNotExists, Disabled | 2.2.0 |
| Configure Windows Arc-enabled machines to run Azure Monitor Agent | Automate the deployment of Azure Monitor Agent extension on your Windows Arc-enabled machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 2.4.0 |
| Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines, virtual machine scale sets, and Arc machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 4.5.0 |
| Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machine scale sets to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 3.3.0 |
| Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 3.4.0 |
| Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machine scale sets for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.4.0 |
| Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint | Deploy Association to link Windows virtual machines to the specified Data Collection Rule or the specified Data Collection Endpoint. The list of locations and OS images are updated over time as support is increased. | DeployIfNotExists, Disabled | 3.3.0 |
| Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension if the OS and region are supported and system-assigned managed identity is enabled, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 4.4.0 |
| Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication | Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. | DeployIfNotExists, Disabled | 1.4.0 |
| Dependency agent should be enabled for listed virtual machine images | Reports virtual machines as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
| Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the agent is not installed. The list of OS images is updated over time as support is updated. | AuditIfNotExists, Disabled | 2.0.0 |
| Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | DeployIfNotExists, Disabled | 3.1.0 |
| Deploy - Configure Dependency agent to be enabled on Windows virtual machines | Deploy Dependency agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. | DeployIfNotExists, Disabled | 3.1.0 |
| Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM | Deploys the diagnostic settings for Azure Key Vault Managed HSM to stream to a regional Log Analytics workspace when any Azure Key Vault Managed HSM which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 |
| Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets | Deploy Log Analytics extension for Windows virtual machine scale sets if the virtual machine image is in the list defined and the extension is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machine in the set by updating them. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | DeployIfNotExists, Disabled | 3.1.0 |
| Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines | Deploy Log Analytics extension for Windows virtual machines if the virtual machine image is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date. | DeployIfNotExists, Disabled | 3.1.0 |
| Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | deployIfNotExists | 5.0.0 |
| Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all virtual machines in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | DeployIfNotExists, Disabled | 3.1.1 |
| Deploy Dependency agent for Linux virtual machines | Deploy Dependency agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. | deployIfNotExists | 5.0.0 |
| Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings if the VM Image (OS) is in the list defined and the agent is not installed. | DeployIfNotExists, Disabled | 3.1.1 |
| Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machine scale sets with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. If your scale set upgradePolicy is set to Manual, you need to apply the extension to all the virtual machines in the set by updating them. | DeployIfNotExists, Disabled | 1.2.2 |
| Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings | Deploy Dependency agent for Windows virtual machines with Azure Monitoring Agent settings if the virtual machine image is in the list defined and the agent is not installed. | DeployIfNotExists, Disabled | 1.2.2 |
| Deploy Diagnostic Settings for Batch Account to Event Hub | Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
| Deploy Diagnostic Settings for Batch Account to Log Analytics workspace | Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 |
| Deploy Diagnostic Settings for Data Lake Analytics to Event Hub | Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
| Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 |
| Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub | Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
| Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 |
| Deploy Diagnostic Settings for Event Hub to Event Hub | Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.1.0 |
| Deploy Diagnostic Settings for Event Hub to Log Analytics workspace | Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
| Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 3.0.0 |
| Deploy Diagnostic Settings for Logic Apps to Event Hub | Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
| Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace | Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 |
| Deploy Diagnostic Settings for Network Security Groups | This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. | deployIfNotExists | 2.0.1 |
| Deploy Diagnostic Settings for Search Services to Event Hub | Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
| Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 |
| Deploy Diagnostic Settings for Service Bus to Event Hub | Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
| Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.1.0 |
| Deploy Diagnostic Settings for Stream Analytics to Event Hub | Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 |
| Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 |
| Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below | Deploy Log Analytics extension for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the extension is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. Deprecation notice: The Log Analytics agent will not be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | deployIfNotExists | 3.0.0 |
| Deploy Log Analytics extension for Linux VMs. See deprecation notice below | Deploy Log Analytics extension for Linux VMs if the VM Image (OS) is in the list defined and the extension is not installed. Deprecation notice: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. You must migrate to the replacement 'Azure Monitor agent' prior to that date | deployIfNotExists | 3.0.0 |
| Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for App Configuration (microsoft.appconfiguration/configurationstores). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Configuration (microsoft.appconfiguration/configurationstores). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for App Configuration (microsoft.appconfiguration/configurationstores). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for App Service (microsoft.web/sites) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for App Service (microsoft.web/sites). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Application group (microsoft.desktopvirtualization/applicationgroups) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Application group (microsoft.desktopvirtualization/applicationgroups). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Application Insights (Microsoft.Insights/components) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Application Insights (Microsoft.Insights/components). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Attestation providers (microsoft.attestation/attestationproviders). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Attestation providers (microsoft.attestation/attestationproviders). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Attestation providers (microsoft.attestation/attestationproviders). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Automation Accounts (microsoft.automation/automationaccounts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Automation Accounts (microsoft.automation/automationaccounts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Automation Accounts (microsoft.automation/automationaccounts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for AVS Private clouds (microsoft.avs/privateclouds). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for AVS Private clouds (microsoft.avs/privateclouds). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for AVS Private clouds (microsoft.avs/privateclouds). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Cache for Redis (microsoft.cache/redis). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cache for Redis (microsoft.cache/redis). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Cache for Redis (microsoft.cache/redis). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Azure Cosmos DB (microsoft.documentdb/databaseaccounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Cosmos DB (microsoft.documentdb/databaseaccounts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure FarmBeats (microsoft.agfoodplatform/farmbeats). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Machine Learning (microsoft.machinelearningservices/workspaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Bastions (microsoft.network/bastionhosts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Bastions (microsoft.network/bastionhosts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Bastions (microsoft.network/bastionhosts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Cognitive Services (microsoft.cognitiveservices/accounts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Cognitive Services (microsoft.cognitiveservices/accounts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Cognitive Services (microsoft.cognitiveservices/accounts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Container registries (microsoft.containerregistry/registries). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Container registries (microsoft.containerregistry/registries). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Container registries (microsoft.containerregistry/registries). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Domains (microsoft.eventgrid/domains). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Domains (microsoft.eventgrid/domains). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Domains (microsoft.eventgrid/domains). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Grid Topics (microsoft.eventgrid/topics). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Grid Topics (microsoft.eventgrid/topics). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Grid Topics (microsoft.eventgrid/topics). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Event Hubs Namespaces (microsoft.eventhub/namespaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.2.0 |
| Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Event Hubs Namespaces (microsoft.eventhub/namespaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Event Hubs Namespaces (microsoft.eventhub/namespaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Firewall (microsoft.network/azurefirewalls) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Firewall (microsoft.network/azurefirewalls). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.cdn/profiles). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.cdn/profiles). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.cdn/profiles). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Front Door and CDN profiles (microsoft.network/frontdoors). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Front Door and CDN profiles (microsoft.network/frontdoors). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Front Door and CDN profiles (microsoft.network/frontdoors). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Function App (microsoft.web/sites) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Function App (microsoft.web/sites). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Host pool (microsoft.desktopvirtualization/hostpools) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Host pool (microsoft.desktopvirtualization/hostpools). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for IoT Hub (microsoft.devices/iothubs). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for IoT Hub (microsoft.devices/iothubs). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for IoT Hub (microsoft.devices/iothubs). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Key vaults (microsoft.keyvault/vaults). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Key vaults (microsoft.keyvault/vaults). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Key vaults (microsoft.keyvault/vaults). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Log Analytics workspaces (microsoft.operationalinsights/workspaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Managed HSMs (microsoft.keyvault/managedhsms). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Managed HSMs (microsoft.keyvault/managedhsms). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Managed HSMs (microsoft.keyvault/managedhsms). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Media Services (microsoft.media/mediaservices). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Media Services (microsoft.media/mediaservices). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Media Services (microsoft.media/mediaservices). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Microsoft Purview accounts (microsoft.purview/accounts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Microsoft Purview accounts (microsoft.purview/accounts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Microsoft Purview accounts (microsoft.purview/accounts). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for microsoft.network/p2svpngateways to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for microsoft.network/p2svpngateways. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for microsoft.network/p2svpngateways. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for microsoft.network/p2svpngateways to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for microsoft.network/p2svpngateways. | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Public IP addresses (microsoft.network/publicipaddresses). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.2.0 |
| Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Public IP addresses (microsoft.network/publicipaddresses). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Public IP addresses (microsoft.network/publicipaddresses). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Service Bus Namespaces (microsoft.servicebus/namespaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Service Bus Namespaces (microsoft.servicebus/namespaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Service Bus Namespaces (microsoft.servicebus/namespaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SignalR (microsoft.signalrservice/signalr). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SignalR (microsoft.signalrservice/signalr). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SignalR (microsoft.signalrservice/signalr). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL databases (microsoft.sql/servers/databases). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.2.0 |
| Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL databases (microsoft.sql/servers/databases). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL databases (microsoft.sql/servers/databases). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for SQL managed instances (microsoft.sql/managedinstances). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for SQL managed instances (microsoft.sql/managedinstances). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for SQL managed instances (microsoft.sql/managedinstances). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Video Analyzers (microsoft.media/videoanalyzers). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Video Analyzers (microsoft.media/videoanalyzers). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Video Analyzers (microsoft.media/videoanalyzers). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Virtual network gateways (microsoft.network/virtualnetworkgateways). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Virtual network gateways (microsoft.network/virtualnetworkgateways). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Virtual network gateways (microsoft.network/virtualnetworkgateways). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Web PubSub Service (microsoft.signalrservice/webpubsub). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.1.0 |
| Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Web PubSub Service (microsoft.signalrservice/webpubsub). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Web PubSub Service (microsoft.signalrservice/webpubsub). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Enable logging by category group for Workspace (microsoft.desktopvirtualization/workspaces) to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Virtual Desktop Workspace (microsoft.desktopvirtualization/workspaces). | DeployIfNotExists, AuditIfNotExists, Disabled | 1.0.0 |
| Linux Arc-enabled machines should have Azure Monitor Agent installed | Linux Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit Arc-enabled machines in supported regions. Learn more: https://aka.ms/AMAOverview. | AuditIfNotExists, Disabled | 1.2.0 |
| Linux virtual machine scale sets should have Azure Monitor Agent installed | Linux virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machine scale sets with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | AuditIfNotExists, Disabled | 3.2.0 |
| Linux virtual machines should have Azure Monitor Agent installed | Linux virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. This policy will audit virtual machines with supported OS images in supported regions. Learn more: https://aka.ms/AMAOverview. | AuditIfNotExists, Disabled | 3.2.0 |
| Log Analytics extension should be enabled in virtual machine scale sets for listed virtual machine images | Reports virtual machine scale sets as non-compliant if the virtual machine image is not in the list defined and the extension is not installed. | AuditIfNotExists, Disabled | 2.0.1 |
| Log Analytics workspaces should block log ingestion and querying from public networks | Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Log Analytics Workspaces should block non-Azure Active Directory based ingestion. | Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system. | Deny, Audit, Disabled | 1.0.0 |
| Public IP addresses should have resource logs enabled for Azure DDoS Protection | Enable resource logs for public IP addressess in diagnostic settings to stream to a Log Analytics workspace. Get detailed visibility into attack traffic and actions taken to mitigate DDoS attacks via notifications, reports and flow logs. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.0.1 |
| Resource logs should be enabled for Audit on supported resources | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. The existence of a diagnostic setting for category group Audit on the selected resource types ensures that these logs are enabled and captured. Applicable resource types are those that support the "Audit" category group. | AuditIfNotExists, Disabled | 1.0.0 |
| Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption | Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs=portal#customer-managed-key-for-saved-queries. | audit, Audit, deny, Deny, disabled, Disabled | 1.1.0 |
| Storage account containing the container with activity logs must be encrypted with BYOK | This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. | AuditIfNotExists, Disabled | 1.0.0 |
| The legacy Log Analytics extension should not be installed on Azure Arc enabled Linux servers | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Linux servers. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
| The legacy Log Analytics extension should not be installed on Azure Arc enabled Windows servers | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Azure Arc enabled Windows servers. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
| The legacy Log Analytics extension should not be installed on Linux virtual machine scale sets | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
| The legacy Log Analytics extension should not be installed on Linux virtual machines | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Linux virtual machines. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
| The legacy Log Analytics extension should not be installed on virtual machine scale sets | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machine scale sets. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
| The legacy Log Analytics extension should not be installed on virtual machines | Automatically prevent installation of the legacy Log Analytics Agent as the final step of migrating from legacy agents to Azure Monitor Agent. After you have uninstalled existing legacy extensions, this policy will deny all future installations of the legacy agent extension on Windows virtual machines. Learn more: https://aka.ms/migratetoAMA | Deny, Audit, Disabled | 1.0.0 |
| The Log Analytics extension should be installed on Virtual Machine Scale Sets | This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1 |
| Virtual machines should be connected to a specified workspace | Reports virtual machines as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. | AuditIfNotExists, Disabled | 1.1.0 |
| Virtual machines should have the Log Analytics extension installed | This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed. | AuditIfNotExists, Disabled | 1.0.1 |
| Windows Arc-enabled machines should have Azure Monitor Agent installed | Windows Arc-enabled machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows Arc-enabled machines in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | AuditIfNotExists, Disabled | 1.2.0 |
| Windows virtual machine scale sets should have Azure Monitor Agent installed | Windows virtual machine scale sets should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Virtual machine scale sets with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | AuditIfNotExists, Disabled | 3.2.0 |
| Windows virtual machines should have Azure Monitor Agent installed | Windows virtual machines should be monitored and secured through the deployed Azure Monitor Agent. The Azure Monitor Agent collects telemetry data from the guest OS. Windows virtual machines with supported OS and in supported regions are monitored for Azure Monitor Agent deployment. Learn more: https://aka.ms/AMAOverview. | AuditIfNotExists, Disabled | 3.2.0 |
| Workbooks should be saved to storage accounts that you control | With bring your own storage (BYOS), your workbooks are uploaded into a storage account that you control. That means you control the encryption-at-rest policy, the lifetime management policy, and network access. You will, however, be responsible for the costs associated with that storage account. For more information, visit https://aka.ms/workbooksByos | deny, Deny, audit, Audit, disabled, Disabled | 1.1.0 |
Next steps
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for