Within Azure Resources, specific resources contain a Diagnostic settings page. This can be interacted with using the Set-AzDiagnosticSetting PowerShell module.
The module appears to let you be able to alter nearly every single metric on the diagnostic page except the Category Groups.
The module supports enabling the Categories under Logs, but not the Category groups. Does anyone know if that is actually possible to change via PowerShell?
Set-AzDiagnosticSetting -ResourceID $ResourceID -Enabled $true -MetricCategory AllMetrics -Category AuditEvent -Name $EventHubLoggingName -EventHubName $EventHubName -EventHubAuthorizationRuleId $EventHubPath | Out-Null
Currently you cannot create diagnostic setting with Category groups using either Powershell or with Azure CLI cmdlets.
Alternatively you can use the Azure Management Rest API Diagnostic Settings - Create Or Update to create the Diagnostic settings with Category groups.
I have tested this REST API (by creating Audit category group diagnostics settings to the keyvault) it is working fine from my end and I would suggest you to create validate it from your end as well.
Here is sample output for reference:
You can refer to this for more information about which properties you can to the logs property in the request body.
Related
I have created an API Management resource in Azure. Within the API management, under APIs section > All APIs, I have added an inbound policy 'ip-filter'.
I wish to programatically change the contents of the policy's xml.
Is there a way to achieve this?
Thanks!
You could use the Set-AzApiManagementPolicy from the Az Powershell to set the Policy XML.
Set-AzApiManagementPolicy -Context $apimContext -PolicyFilePath "C:\contoso\policies\tenantpolicy.xml"
There are various scopes. You could set it at the tenant level,product level,api level and at the operation level. You could refer this for more information.
I'm having some issues assigning one of the built-in policies with a logAnalytics parameter where there are multiple subscriptions involved. I need to do it with code. Here's how I try to accomplish it.
Get a reference to the built-in policy definition to assign
$definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq 'Deploy Log Analytics agent for Windows VMs' }
$parameter = #{
logAnalytics = '<resourceId to my logAnalytics workspace>'
}
Create the policy assignment with the built-in definition against your resource group
New-AzPolicyAssignment -Name 'Deploy LA Agent Windows VMs' -DisplayName 'Deploy LA Agent Windows VMs' -Scope "/subscriptions/<my subscriptionId" -PolicyDefinition $definition -AssignIdentity -Location 'norwayeast' -PolicyParameterObject $parameter
This code works fine if I assign the policy to the same subscription where the logAnalytics workspace is located, but if I scope the policy assignment to another subscription and afterward check the assignment in the portal, the Log Analytics Workspace parameter will be empty.
The service principal that runs these commands is owner of both subscriptions.
The most straight-forward way of applying policies across multiple subscriptions is to make them part of a management group. You can apply a policy to the management group and every subscription which is a member will inherit it.
Further information on management groups can be found here:
https://learn.microsoft.com/en-us/azure/governance/management-groups/overview
Amended code using management groups:
New-AzPolicyAssignment -Name 'Deploy LA Agent Windows VMs' -DisplayName 'Deploy LA Agent Windows VMs' -Scope "/providers/Microsoft.Management/managementGroups/managementGroup001" -PolicyDefinition $definition -AssignIdentity -Location 'norwayeast' -PolicyParameterObject $parameter
Notes
You will need to create a management group and add subscription(s) to it before running any commands.
Assigning subscription(s) to an existing management group can have adverse effects, check there are no conflicts.
An error is likely to be generated regarding the length of the names used as they are restricted to 24 characters. You should shorten or abbreviate them.
I have not tested this code so please double-check by reviewing the documentation on Microsoft's site before running in your own environment.
I am trying the available Microsoft gallery script [https://gallery.technet.microsoft.com/scriptcenter/Export-Azure-Resource-092b9c2a#content] but it's running on subscription level and it's hanging in the middle. Looking for the solution from PowerShell or Microsoft Graph API to pull the required RBAC roles from Subscription, resource groups and each resource level.
Because the command in the script lists all role assignments in the selected Azure subscription by default. You just need to use the parameters e.g.-ResourceGroupName, -Scope in the command, then you will be able to do what you want.
Besides, in your script, it uses old AzureRm command Get-AzureRmRoleAssignment, it was deprecated. I recommend you to use Get-AzRoleAssignment.
For more details, see this link: Get-AzRoleAssignment.
to achieve that you just need to use Get-AzRoleAssignment together with a filter:
Get-AzRoleAssignment | Where-Object { $_.Scope -match 'resource_group_name' }
Suppose I set a Lock on some Azure resource (e.g. on Resource Group). Then I want to see JSON document in Azure Resource Explorer that corresponds to the created Lock. I can see the resource object document but the Lock is not shown there.
You could use powershell to see it.
Get-AzResourceLock -ResourceGroupName <resource group name> | ConvertTo-Json
For more details about azure cli or rest api, see this link.
I'm fairly certain those are not exposed under resource explorer. since the Microsoft.Authorization provider is not even listed in there
you could use any other means to retrieve those
Is it possible to change a web role name through PowerShell or any other programmatic way without needing to change the project name itself? We need role name change for monitoring purpose and changing project name would require a lot of work for us with modifying build definitions.
There seems to be a work around way which is from a blog of a MS developer, to update role name via modify the Role schema file.
Hope it helps.
Rename Azure Cloud Service.ps1
import-module Azure
# download publish settings
Get-AzurePublishSettingsFile
# import settings you just downloaded
Import-AzurePublishSettingsFile "C:\Users\<user>\Downloads\MySub-DATE-credentials.publishsettings"
# view subscription details
Get-AzureSubscription
# select active subscription
Select-AzureSubscription 'MySub'
# view cloud services for selected sub
Get-AzureService
# update cloud service name/description
Set-AzureService 'myServiceName' 'Friendly Service Name' 'Detailed Service Description'