November 2020 Update for Azure Diagnostic Settings Policy Definitions

Last month, I released some updates to the Azure Policy definitions for Diagnostics Settings. After that update, there was a requirement for me to revisit and revalidate all existing policy definitions, so I have spent few days and have gone through them all, making sure they are still up-to-date. I have also added few definitions for few additional Azure services.

Here’s a the change log:

• Updated the existing policy definitions for the following Azure services:
  • Azure Container Registry
  • Azure Kubernetes Service
  • Azure API Management
  • Azure Cognitive Services
  • Cosmos DB
  • Azure Data Factory
  • Event Grid Topic
  • ExpressRoute Circuits
  • Azure Firewall
  • Azure HDInsight
  • Azure Recovery Services Vault (Split Azure Backup and Azure Site Recovery into separate policies as explained in this article)
  • IoT Hub
  • MySQL
  • PostgreSQL
  • Azure Relay
  • SignalR
  • SQL Elastic Pool
  • Virtual Network
  • Virtual Network Gateway (update + bugfix)
  • Web App (Updated to exclude Function App. Function App is not included because Diagnostic settings only support Function App V3 which is still in preview, and I can’t seem to find a way to detect Function Run time version using policy aliases).
• New policy definitions for:
  • CDN Profile
  • Log App Integration Service Environment
  • AppInsights
  • App Service Environment
  • Azure Storage Account (at the time of writing, this is still in public preview, documented in this article)
• Updated Diagnostic Setting policies that send data Log Analytics:
  • Added “assignPermission” to log analytics workspaces
  • Added Azure Diagnostics mode vs Resource-Specific mode selection for applicable resource types (explained in this article)