Configure diagnostic settings on management groups in reference architecture templates

[rohancragg]

I've only recently discovered that Diagnostic Settings can be enabled on Management Group scope (e.g. Administrative and Policy) (although this can only be configured via the Resource Manager API while in preview).

Once enabled this would allow us to log any changes to Policy and PolicySet definitions and assignments and therefore set up alerts when those resources are modified or deleted.

This would seem to be a very good best practice to have in place and therefore to include in one or all reference architectures (Wingtip etc).

It would probably need to be optional (and the desired Log Analytics workspace would need to be provided as a parameter to the custom deployment)

Perhaps cannot be made a feature until the feature becomes GA but worth having this on the roadmap?

[krnese]

Thanks for submitting the issue, and this is something we have in our backlog, primarily to enable when deploying Enterprise-Scale. Regarding policy to enforce this; policy does currently not act on 'Microsoft.Management/managementGroups' resourceType, hence it will be a remediation scenario only, for now.

[rohancragg]

Thank you. 'to enable when deploying Enterprise-Scale' was definitely what I had in mind when submitting this and I wasn't requesting that this be enforced in policy.

[jtracey93]

closing as duplicate of #696