Currently we a spending most of our time doing Azure Gonvernance projects for customers.

This includes

  • DevOps
    • Pipelines
    • Templates
    • and more
  • Management/Resource Group Structure
  • Policies
  • Monitoring

If you need anything in aboveareas, don’t hesistate to contact us!

We can help you get into azure from nothing to production, or help you get control of your azure spending and structure.

One of the things we setup is Diagnostics logging in Azure Log Analytics from various resources.

This is super easy to setup on all Azure Resources, but it is actually also possible to enable on Azure ADs.

Azure AD forwards these logs:

  • AuditLogs
  • SignInLogs


The challenge is that Azure AD is Not  a normal Azure resource, so we cannot use the standard PowerShell commands to set it up.

Therefore I create my own script to use the REST API to setup the diagnostics logging.

To access the REST API we need to use a access token, but using Azure modules, we can get he token easily.

This great script on TechNet shows how:

  $workspaceName = "runbookguru",
  $ruleName = "Log Analytics ($workspaceName)"

Import-Module Az

# Find the ResourceId for the Log Analytics workspace

$workspaceResource = Get-AzResource -ResourceType "Microsoft.OperationalInsights/workspaces" -Name $workspaceName
$workspaceId = $workspaceResource.ResourceId
function Get-AzCachedAccessToken()
    $ErrorActionPreference = 'Stop'

    $azureRmProfileModuleVersion = (Get-Module Az.Profile).Version
    $azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
    if(-not $azureRmProfile.Accounts.Count) {
        Write-Error "Ensure you have logged in before calling this function."    
    $currentAzureContext = Get-AzContext
    $profileClient = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($azureRmProfile)
    Write-Debug ("Getting access token for tenant" + $currentAzureContext.Tenant.TenantId)
    $token = $profileClient.AcquireAccessToken($currentAzureContext.Tenant.TenantId)
$token = Get-AzCachedAccessToken

#setup diag settings
$uri = "{0}?api-version=2017-04-01-preview" -f $ruleName
$body = @"
    "id": "providers/microsoft.aadiam/diagnosticSettings/$ruleName",
    "type": null,
    "name": "Log Analytics",
    "location": null,
    "kind": null,
    "tags": null,
    "properties": {
      "storageAccountId": null,
      "serviceBusRuleId": null,
      "workspaceId": "$workspaceId",
      "eventHubAuthorizationRuleId": null,
      "eventHubName": null,
      "metrics": [],
      "logs": [
          "category": "AuditLogs",
          "enabled": true,
          "retentionPolicy": { "enabled": false, "days": 0 }
          "category": "SignInLogs",
          "enabled": true,
          "retentionPolicy": { "enabled": false, "days": 0 }
    "identity": null

$headers = @{
    "Authorization" = "Bearer $token"
    "Content-Type"  = "application/json"
$response = Invoke-WebRequest -Method Put -Uri $uri -Body $body -Headers $headers

if ($response.StatusCode -ne 200) {
    throw "an error occured: $($response | out-string)"