I wrote an Azure Policy definition today to audit or deny VMs that are not using customer-managed storage accounts for Boot Diagnostics. The default policy effect is
Deny but can be changed to
Audit when assigning the policy because it’s parameterized.
This policy will block or generate audit log if the Virtual Machine has either disabled boot diagnostic or configured to use Microsoft-Managed storage account.
The policy definition can be found in my AzurePolicy GitHub repo HERE.