Azure Policy DeployIfNotExists is not adding diagnostic setting configuration for event hub automatically

Question

Two initiatives with multiple policies have been assigned at the management group level for every type of resource that can have a diagnostic setting to send log to the event hub. One initiative is for custom policies and the other is for built-in policies. The managed identity associated with the policies has the following two roles 1) "Log Analytics Contributor" and 2) "Azure Event Hubs Data Owner". In our case we are not using log analytics workspace to send the logs and so the first one, I think is not useful for our scenario. The second role is more about access to the data in event hubs and so that is not having access to add a configuration to the resource. I am trying to figure out the place in the portal that may show errors that the DINE policy deployment is failing or any other role that will have the correct permission to add the missing configuration.

Answer 1

Hello Timmy and Anurag,

Thank you providing me the possible solutions and for following up with me to see if the issue got resolved.

My first hunch was that it was role problem because the DeployIfNotExists code was not getting deployed. On further investigation we found out that the whole initiative was assigned in "DoNotEnforce" mode, and it seems like it has been like that right from the beginning. This was the reason the DeployIFNotExists code in all the policies was not getting initiated at the time of resource deployment. We have made the change in the assignment now and going forward we will be checking on how the compliance numbers are progressing every day. That will help us figure out if we have any other issues.

This can be closed as resolved now.

Answer 2

Hi Narayan!

A quick question, you don't want to use system-assigned managed identity instead? This will automatically take care of the role issue.

If you don't want to use it you might want to create a custom role with this operation "Microsoft.Insights/DiagnosticSettings/[Read, Write, Delete], gives Read, write, or delete diagnostic settings. This is a guide how you can create your own custom role in Azure :)
https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles

If you create a Remediation task for your policy, you should get some more information on the deployment failures.

Hope this is helpful Best Regards, Timmy Malmgren

---If the Answer is helpful, please click "Accept Answer" and upvote it as it helps others to find what they are looking for faster!

Answer 3

Narayan, Ram, thank you for providing additional information and apologies for the delayed response.

To be able to add "diagnostic settings" for a resource, the identity should have "Monitoring Contributor" role. Or, as suggested by Timmy, you can further drill down to the specific permission based on the requirement as mentioned here -
Monitor permissions and Azure custom roles.

Furthermore, as mentioned here, to create or edit a diagnostic setting, users must also separately be granted ListKeys permission on the target resource (storage account or event hub namespace). Regarding your other question for a way to check errors related to DINE policy, please use the following:

1. Azure portal --> Policy --> Compliance
2. Search for the Initiative which was assigned and click on it.
3. The next page takes you to the page which has information about resource compliance.
4. Furthermore, you could also review the "Activity Logs" on this page to check for activities which were triggered. This should also contain information about failures, if any

Hope this helps. Please let us know if you are still facing any issues.