Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The diagnosticSettings resource type can be deployed with operations that target:
- Tenant - See tenant deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a microsoft.aadiam/diagnosticSettings resource, add the following Bicep to your template.
resource symbolicname 'microsoft.aadiam/diagnosticSettings@2017-04-01' = {
name: 'string'
properties: {
eventHubAuthorizationRuleId: 'string'
eventHubName: 'string'
logs: [
{
category: 'string'
enabled: bool
retentionPolicy: {
days: int
enabled: bool
}
}
]
serviceBusRuleId: 'string'
storageAccountId: 'string'
workspaceId: 'string'
}
}
Property Values
microsoft.aadiam/diagnosticSettings
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| properties | Properties of a Diagnostic Settings Resource. | DiagnosticSettings |
DiagnosticSettings
| Name | Description | Value |
|---|---|---|
| eventHubAuthorizationRuleId | The resource Id for the event hub authorization rule. | string |
| eventHubName | The name of the event hub. If none is specified, the default event hub will be selected. | string |
| logs | The list of logs settings. | LogSettings[] |
| serviceBusRuleId | The service bus rule Id of the diagnostic setting. This is here to maintain backwards compatibility. | string |
| storageAccountId | The resource ID of the storage account to which you would like to send Diagnostic Logs. | string |
| workspaceId | The workspace ID (resource ID of a Log Analytics workspace) for a Log Analytics workspace to which you would like to send Diagnostic Logs. Example: /subscriptions/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/viruela2 | string |
LogSettings
| Name | Description | Value |
|---|---|---|
| category | Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation. | 'AuditLogs' 'SignInLogs' |
| enabled | A value indicating whether this log is enabled. | bool (required) |
| retentionPolicy | The retention policy for this log. | RetentionPolicy |
RetentionPolicy
| Name | Description | Value |
|---|---|---|
| days | The number of days for the retention in days. A value of 0 will retain the events indefinitely. | int Constraints: Min value = 0 (required) |
| enabled | A value indicating whether the retention policy is enabled. | bool (required) |
ARM template resource definition
The diagnosticSettings resource type can be deployed with operations that target:
- Tenant - See tenant deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a microsoft.aadiam/diagnosticSettings resource, add the following JSON to your template.
{
"type": "microsoft.aadiam/diagnosticSettings",
"apiVersion": "2017-04-01",
"name": "string",
"properties": {
"eventHubAuthorizationRuleId": "string",
"eventHubName": "string",
"logs": [
{
"category": "string",
"enabled": "bool",
"retentionPolicy": {
"days": "int",
"enabled": "bool"
}
}
],
"serviceBusRuleId": "string",
"storageAccountId": "string",
"workspaceId": "string"
}
}
Property Values
microsoft.aadiam/diagnosticSettings
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2017-04-01' |
| name | The resource name | string (required) |
| properties | Properties of a Diagnostic Settings Resource. | DiagnosticSettings |
| type | The resource type | 'microsoft.aadiam/diagnosticSettings' |
DiagnosticSettings
| Name | Description | Value |
|---|---|---|
| eventHubAuthorizationRuleId | The resource Id for the event hub authorization rule. | string |
| eventHubName | The name of the event hub. If none is specified, the default event hub will be selected. | string |
| logs | The list of logs settings. | LogSettings[] |
| serviceBusRuleId | The service bus rule Id of the diagnostic setting. This is here to maintain backwards compatibility. | string |
| storageAccountId | The resource ID of the storage account to which you would like to send Diagnostic Logs. | string |
| workspaceId | The workspace ID (resource ID of a Log Analytics workspace) for a Log Analytics workspace to which you would like to send Diagnostic Logs. Example: /subscriptions/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/viruela2 | string |
LogSettings
| Name | Description | Value |
|---|---|---|
| category | Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation. | 'AuditLogs' 'SignInLogs' |
| enabled | A value indicating whether this log is enabled. | bool (required) |
| retentionPolicy | The retention policy for this log. | RetentionPolicy |
RetentionPolicy
| Name | Description | Value |
|---|---|---|
| days | The number of days for the retention in days. A value of 0 will retain the events indefinitely. | int Constraints: Min value = 0 (required) |
| enabled | A value indicating whether the retention policy is enabled. | bool (required) |
Usage Examples
Terraform (AzAPI provider) resource definition
The diagnosticSettings resource type can be deployed with operations that target:
- Tenant
For a list of changed properties in each API version, see change log.
Resource format
To create a microsoft.aadiam/diagnosticSettings resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "microsoft.aadiam/diagnosticSettings@2017-04-01"
name = "string"
parent_id = "string"
body = {
properties = {
eventHubAuthorizationRuleId = "string"
eventHubName = "string"
logs = [
{
category = "string"
enabled = bool
retentionPolicy = {
days = int
enabled = bool
}
}
]
serviceBusRuleId = "string"
storageAccountId = "string"
workspaceId = "string"
}
}
}
Property Values
microsoft.aadiam/diagnosticSettings
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| properties | Properties of a Diagnostic Settings Resource. | DiagnosticSettings |
| type | The resource type | "microsoft.aadiam/diagnosticSettings@2017-04-01" |
DiagnosticSettings
| Name | Description | Value |
|---|---|---|
| eventHubAuthorizationRuleId | The resource Id for the event hub authorization rule. | string |
| eventHubName | The name of the event hub. If none is specified, the default event hub will be selected. | string |
| logs | The list of logs settings. | LogSettings[] |
| serviceBusRuleId | The service bus rule Id of the diagnostic setting. This is here to maintain backwards compatibility. | string |
| storageAccountId | The resource ID of the storage account to which you would like to send Diagnostic Logs. | string |
| workspaceId | The workspace ID (resource ID of a Log Analytics workspace) for a Log Analytics workspace to which you would like to send Diagnostic Logs. Example: /subscriptions/a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1/resourceGroups/insights-integration/providers/Microsoft.OperationalInsights/workspaces/viruela2 | string |
LogSettings
| Name | Description | Value |
|---|---|---|
| category | Name of a Diagnostic Log category for a resource type this setting is applied to. To obtain the list of Diagnostic Log categories for a resource, first perform a GET diagnostic settings operation. | 'AuditLogs' 'SignInLogs' |
| enabled | A value indicating whether this log is enabled. | bool (required) |
| retentionPolicy | The retention policy for this log. | RetentionPolicy |
RetentionPolicy
| Name | Description | Value |
|---|---|---|
| days | The number of days for the retention in days. A value of 0 will retain the events indefinitely. | int Constraints: Min value = 0 (required) |
| enabled | A value indicating whether the retention policy is enabled. | bool (required) |
Usage Examples
Terraform Samples
A basic example of deploying Azure Active Directory Diagnostic Setting for Azure Monitor.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westus"
}
data "azapi_client_config" "current" {}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "namespace" {
type = "Microsoft.EventHub/namespaces@2024-01-01"
parent_id = azapi_resource.resourceGroup.id
name = "${var.resource_name}-EHN-unique"
location = var.location
body = {
properties = {
disableLocalAuth = false
isAutoInflateEnabled = false
minimumTlsVersion = "1.2"
publicNetworkAccess = "Enabled"
}
sku = {
capacity = 1
name = "Basic"
tier = "Basic"
}
}
}
resource "azapi_resource" "eventhub" {
type = "Microsoft.EventHub/namespaces/eventhubs@2024-01-01"
parent_id = azapi_resource.namespace.id
name = "${var.resource_name}-EH-unique"
body = {
properties = {
messageRetentionInDays = 1
partitionCount = 2
status = "Active"
}
}
}
resource "azapi_resource" "authorizationRule" {
type = "Microsoft.EventHub/namespaces/authorizationRules@2024-01-01"
parent_id = azapi_resource.namespace.id
name = "example"
body = {
properties = {
rights = ["Listen", "Send", "Manage"]
}
}
}
resource "azapi_resource" "diagnosticSetting" {
type = "Microsoft.AADIAM/diagnosticSettings@2017-04-01"
parent_id = "/"
name = "${var.resource_name}-DS-unique"
body = {
properties = {
eventHubAuthorizationRuleId = azapi_resource.authorizationRule.id
eventHubName = azapi_resource.eventhub.name
logs = [
{
category = "RiskyUsers"
enabled = true
},
{
category = "ServicePrincipalSignInLogs"
enabled = true
},
{
category = "SignInLogs"
enabled = true
},
{
category = "B2CRequestLogs"
enabled = true
},
{
category = "UserRiskEvents"
enabled = true
},
{
category = "NonInteractiveUserSignInLogs"
enabled = true
},
{
category = "AuditLogs"
enabled = true
}
]
}
}
}