Azure
Enable diagnostics on MGs and AAD
Describe the solution you'd like
- enable diagnostics on MGs when LA is deployed
- Enable diagnostics on AAD when LA is being deployed
For the AAD Logs we will need to cater for the AAD Premium license requirement:
I have just authored an ARM template for this and will place here for everyone's benefit:
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"lawResourceId": {
"type": "string",
"metadata": {
"description": "ResourceID for Log Analytics Workspace"
}
}
},
"resources": [
{
"type": "microsoft.aadiam/diagnosticSettings",
"apiVersion": "2017-04-01",
"name": "sendToLogAnalytics",
"properties": {
"workspaceId": "[parameters('lawResourceId')]",
"logs": [
{
"category": "AuditLogs",
"enabled": true,
"retentionPolicy": {
"days": "0",
"enabled": false
}
},
{
"category": "SignInLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "NonInteractiveUserSignInLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "ServicePrincipalSignInLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "ManagedIdentitySignInLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "ProvisioningLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "ADFSSignInLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "RiskyUsers",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "UserRiskEvents",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
}
],
"metrics": []
}
}
],
"outputs": {}
}
👍
Is there an update on the ability to send the MG activity log to LA/Event Hub via Policy?
@chrisking81 , we can enable diagnostics of management group to log analytics during bootstrap, but policy effects does not operate on management groups yet, so your scenario can not be achieved.
Hi team. I know we can't enable diagnostics on the MGs via policy, but is there any progress on an approach to send the MG activity logs to the central LAWS?
Hey @chrisking81,
This Bicep file can be used to enable it on each MG to an LAW
Main Module (orchestration - deploy this)
targetScope = 'tenant'
param parMgIdName string
param parLawId string
resource resMg 'Microsoft.Management/managementGroups@2021-04-01' = {
name: parMgIdName
properties: {
displayName: parMgIdName
}
}
module modMgDiagSet 'diagSettings.bicep' = {
scope: resMg
name: 'mg-diag-set-${parMgIdName}'
params: {
parLawId: parLawId
}
}
Child Module - diagSettings.bicep
targetScope = 'managementGroup'
param parLawId string
resource mgDiagSet 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'toLa'
properties: {
workspaceId: parLawId
logs: [
{
category: 'Administrative'
enabled: true
}
{
category: 'Policy'
enabled: true
}
]
}
}
@krowlandson, @jfaurskov, @matt-FFFFFF - do we agree we should bootstrap this in all RIs - even though it cant be policied
@krowlandson, @jfaurskov, @matt-FFFFFF - do we agree we should bootstrap this in all RIs - even though it cant be policied
Yes. I think we should enable if we are delaying the log analytics workspace.
@matt-FFFFFF I added to all ADO iteration paths last night and we are planning the work for Bicep in Septembers sprint which @lachaves is picking up for us. So may be worth seeing if you want to work with @lachaves and get him to help with the ALZ TF version as well :)
@jtracey93 As the logging module (logging.bicep) is scoped at the resourceGroup we cant include a module scoped at the MG level, so we can't use the current logging module to orchestrate the onboarding of diagnosticSettings for all MG, with how things are scoped today. What approach should we use here, any ideas, or am I missing something?
Note One exception is that Bicep files with a targetScope of resourceGroup or subscription can't include a module with a scope of managementGroup.
Hey @lachaves, lets chat tomorrow on our sync. But as discussed on our last call, I would create a new module for the MG Diag Settings similar to subscriptionPlacement.bicep and then create another orchestration module like subPlacementAll.bicep
Then add it as another step to the deployment flow, once the management groups and logging modules have been deployed.
Does that help?
Hi @jtracey93 . Yes, that is what I did, working now for both standard management groups and also custom children management groups.
Just confirmed via REST API for a custom landing zone named alz-landingzones-SAP, working fine.
GET https://management.azure.com/providers/microsoft.management/managementGroups/alz-landingzones-SAP/providers/microsoft.insights/diagnosticSettings/toLa?api-version=2020-01-01-preview
{ "id": "providers/Microsoft.Management/managementGroups/alz-landingzones-SAP/providers/microsoft.insights/diagnosticSettings/toLa", "type": "Microsoft.Insights/diagnosticSettings", "name": "toLa", "location": "global", "properties": { "workspaceId": "/subscriptions/xxxxxxx/resourcegroups/alz-logging/providers/microsoft.operationalinsights/workspaces/alz-log-analytics", "logs": [ { "category": "Administrative", "enabled": true, "categoryGroup": null }, { "category": "Policy", "enabled": true, "categoryGroup": null } ] } }