Configure Azure Activity logs to stream to specified Storage account from all subscriptions

Kaushik Ray 0

I want to send all Activity logs from all subscriptions (with in my Managment group) to a specific storage account. Do we have any Built in policy which can be enforced at management group and propagated to all subscriptions ?

Rahul Podila 1,725 Reputation points Microsoft Vendor

2025-01-23T06:45:21.9166667+00:00

Hi @Kaushik Ray

Just checking in to see if the below answer provided by @Stanislav Zhelyazkov helped.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
Rahul Podila 1,725 Reputation points Microsoft Vendor

2025-01-27T01:50:16.4+00:00

Hi @Kaushik Ray

We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.

1 answer

Stanislav Zhelyazkov 25,856 Reputation points MVP

2025-01-21T13:11:13.7066667+00:00
Hi,

There is no such built-in policy available but you can make copy of "Configure Azure Activity logs to stream to specified Log Analytics workspace" policy and there are a few things that you need to change:

parameter logAnalytics change it to storageAccountResourceId. Replace in the policy everywhere where it is referenced. Remove strongType from the parameter.

within the policy you can change the subscriptionToLa name to subscriptionToSa

Change property workspaceId to storageAccountId.

Change role definition from /providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293 to /providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab.

I hope this helps you not only achieve this particular task but also in case you encounter other scenarios that may require modifying existing built-in policy.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Kaushik Ray 0 Reputation points

2025-01-22T15:58:52.4333333+00:00

Thanks for the response!
I was wondering if we can export the data to a specific container for all subscriptions?
say :
/activity-logs/subs1/yyyy/mm
/activity-logs/subs2/yyyy/mm.. ..

Stanislav Zhelyazkov 25,856 Reputation points MVP

2025-01-23T08:08:57.64+00:00

No, the integration with storage account does not allows you to pick a specific container. The container is automatically created according to the log. The structure of the log is like:

insights-activity-logs/resourceId=/SUBSCRIPTIONS/{subscription ID}/y={four-digit numeric year}/m={two-digit numeric month}/d={two-digit numeric day}/h={two-digit 24-hour clock hour}/m=00/PT1H.json

Source

Kaushik Ray 0 Reputation points

2025-01-23T20:16:59.55+00:00

I tried implementing the policy however even though the policy implemented, the compliance is 0%.

More details for each subscription which failed compliance:
Reason for non-compliance

No related resources match the effect details in the policy definition.

Existence condition

Type

Microsoft.Insights/diagnosticSettings

{ "if": { "field": "type", "equals": "Microsoft.Resources/subscriptions" }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/diagnosticSettings", "deploymentScope": "Subscription", "existenceScope": "Subscription", "existenceCondition": { "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", "equals": "[parameters('logsEnabled')]" }, { "field": "Microsoft.Insights/diagnosticSettings/storageAccountId", "equals": "[parameters('storageAccountId')]" } ] }, "deployment": { "location": "westeurope", "properties": { "mode": "incremental", "template": { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "storageAccountId": { "type": "string" }, "logsEnabled": { "type": "string" } }, "variables": {}, "resources": [ { "name": "subscriptionToSt", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2017-05-01-preview", "location": "Global", "properties": { "storageAccountId": "[parameters('storageAccountId')]", "logs": [ { "category": "Administrative", "enabled": "[parameters('logsEnabled')]" }, { "category": "Security", "enabled": "[parameters('logsEnabled')]" }, { "category": "Policy", "enabled": "[parameters('logsEnabled')]" } ] } } ], "outputs": {} }, "parameters": { "storageAccountId": { "value": "[parameters('storageAccountId')]" }, "logsEnabled": { "value": "[parameters('logsEnabled')]" } } } }, "roleDefinitionIds": [ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab" ] } } }

Kaushik Ray 0 Reputation points

2025-01-23T20:25:34.8033333+00:00

storageAccountId - is correct - "/subscriptions/subs-id/resourceGroups/rg-name/providers/Microsoft.Storage/storageAccounts/staccname" (String)
logsEnabled - "True" String
effect - "DeployIfNotExists" String

Please advise.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Stanislav Zhelyazkov 25,856 Reputation points MVP

2025-01-24T07:45:33.06+00:00

You have deployIfNotExists effect:

deployIfNotExists runs after a configurable delay when a Resource Provider handles a create or update subscription or resource request and returned a success status code. A template deployment occurs if there are no related resources or if the resources defined by existenceCondition don't evaluate to true. The duration of the deployment depends on the complexity of resources included in the template.

During an evaluation cycle, policy definitions with a DeployIfNotExists effect that match resources are marked as non-compliant, but no action is taken on that resource. Existing non-compliant resources can be remediated with a remediation task.

Due to that I would suggest to remediate so the configuration to be applied on all your existing subscriptions.

Kaushik Ray 0 Reputation points

2025-01-27T10:29:08.8566667+00:00

Remediation step - picked 0 of 0 resources and didn't setup diagnostic settings, however after again creating remediation step then it created all diagnostics settings sending logs to storage account.
In case in future there is a new subscription, then it should have the policy enforced and diagnostic settings enabled, I tried deleting one wokring subscription diagnostic settings and left it over the weekend, it evaluated to Compliance failed but didn't create the diagnostics settings. I think if I create the remediation again then it will, but that doesn't solve the purpose for newer subscriptions.

Looks for some suggestions.

Stanislav Zhelyazkov 25,856 Reputation points MVP

2025-01-27T10:37:40.9333333+00:00

As far as I am aware for new subscriptions it should apply but it does not apply if you delete the diagnostic settings. That is the nature of deployIfNotExists effect which you can read in the link provided.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Configure Azure Activity logs to stream to specified Storage account from all subscriptions

1 answer

Your answer