Enable Azure Policy to Automatically Configure Log Analytics and VM Insights Across Subscriptions via Management Group Scope

Question

Enable Azure Policy to Automatically Configure Log Analytics and VM Insights Across Subscriptions via Management Group Scope

Sree Aravind M 40

We are building a multi-cloud FinOps application where we collect performance and cost metrics from Azure resources. Currently, we are programmatically enabling diagnostic settings and monitoring configurations using APIs for specific resource types.

Current Implementation (API-based approach)

We are enabling Log Analytics workspace integration for the following Azure resource types using APIs:

Microsoft.Web/serverFarms,Microsoft.DBforMySQL/flexibleServers,Microsoft.DBforPostgreSQL/flexibleServers,Microsoft.Sql/servers/elasticPools,Microsoft.Sql/servers/databases

Additionally, for Virtual Machines, we are enabling monitoring (including VM Insights / performance metrics) via API.

New Requirement (Policy-based approach)

We want to transition from API-based configuration to a centralized Azure Policy-driven approach.

Scenario 1: Log Analytics Workspace Enablement via Policy

We are creating a Management Group (not resource group) and moving subscriptions under it.

We want to apply Azure Policies at the Management Group scope to:

Automatically enable diagnostic settings for all supported resource types.

Route logs and metrics to a specific Log Analytics Workspace (Workspace ID).

Ensure compliance for:

Existing resources (retroactive enablement)

Newly created resources (automatic enforcement)

We are looking for:

Built-in or recommended Azure Policies for this use case

Guidance on assigning policies at Management Group level

Whether a single policy can cover multiple resource types or if separate policies are required

Bharath Y P 8,495 Reputation points Microsoft External Staff Moderator

2026-04-24T06:30:08.54+00:00
Hello Sree, it makes total sense to move from “one-off” API calls to a centralized, policy-driven model—especially when you have multiple subscriptions under a management group. Here’s a high-level approach you can take for both diagnostics (logs & metrics) and VM Insights:

Enable Diagnostic Settings for Logs & Metrics • Built-in Azure Policy – Use the “Deploy diagnostic settings to Log Analytics workspace” built-in policy (effect = DeployIfNotExists). – This policy lets you pick one or more resource types (App Service plans, SQL servers/databases, MySQL/PostgreSQL flexible servers, etc.) and automatically configures the categories of logs and metrics you need, pointing them at your chosen workspace. • Assignment at Management Group – Go to Azure Portal > Policy > Assign definition – Scope = your management group – Select the built-in “Deploy diagnostic settings to Log Analytics workspace” policy – Fill in parameters: target workspace resource ID, list of resource types & categories, identity to use (system-assigned or user-assigned) – Because it’s DeployIfNotExists, it will remediate existing resources and automatically apply to new ones. • Single vs. Multiple Policies – You can cover multiple resource types in one assignment if you choose the multi-resource version of the built-in. If you need different settings per resource type, you can assign multiple definitions or create a policy initiative (set) that groups them.

Enable VM Insights (AMA-based) • Use the predefined VM Insights initiatives: – “Enable Azure Monitor for VMs with Azure Monitoring Agent (AMA)” – “Enable Azure Monitor for VMSS with Azure Monitoring Agent (AMA)” – (If you have Arc-enabled machines) “Enable Azure Monitor for Hybrid VMs with AMA” • Assignment at Management Group – Azure Portal > Policy > Assign initiative – Scope = your management group root – Pick the appropriate VM insights initiative(s) – Parameters:
• Data collection rule (DCR) resource ID (created in same region as workspace) • Log Analytics workspace ID • (Optional) include Arc machines
– Hit Create. The initiative uses DeployIfNotExists to:
• Install the Azure Monitor Agent extension • Create or link the VM insights DCR • Run remediation on existing VMs • Automatically enforce on new VMs ```3) Tracking Compliance • After you assign at MG scope, open Policy > Compliance to see: – Success vs. non-compliant resources – Ability to kick-off remediation tasks for any leftovers • For VM insights, drill into “Initiative compliance” to see per-policy status (agent installed, DCR in place, etc.)

Next Steps / References

Here are the docs you’ll lean on for the details and screenshots:

Enable VM insights using Azure Policy (initiatives & assignment) https://docs.microsoft.com/azure/azure-monitor/vm/vminsights-enable-policy

Assign a VM insights policy initiative https://docs.microsoft.com/azure/azure-monitor/vm/vminsights-enable-policy#assign-a-vm-insights-policy-initiative

Enable Insights at scale using Azure policies (policy assignment flow) https://docs.microsoft.com/azure/azure-local/manage/monitor-multi-azure-policies?view=azloc-2604

Hope this helps! please feel free to reach out if you have any further questions. Thanks
Bharath Y P 8,495 Reputation points Microsoft External Staff Moderator

2026-04-29T04:53:04.6733333+00:00

Hello Sree, As per your request, We are currently troubleshooting the scenario as per your requested resource, we will keep you updated. Thanks

1 answer

Your answer

Bharath Y P 8,495 Reputation points Microsoft External Staff Moderator

2026-04-29T04:53:04.6733333+00:00

Hello Sree, As per your request, We are currently troubleshooting the scenario as per your requested resource, we will keep you updated. Thanks

Answer 1

For Log Analytics and VM insights enablement at management group scope, use Azure Policy initiatives with either built-in or custom diagnostic-settings policies and assign them at the management group level.

Built-in vs custom policies for diagnostic settings

Built-in diagnostic policies exist per resource type and destination (Log Analytics, Storage, Event Hub). Examples in the Monitoring category include policies such as:
- “Enable logging by category group for microsoft.dbformysql/flexibleservers to Log Analytics”
- “Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Log Analytics”
These built-ins are per resource type. A single built-in policy does not cover multiple resource types. For each resource type (App Service plans, SQL databases, MySQL/PostgreSQL flexible servers, etc.), a separate policy definition is required.

If a built-in does not exist for a specific resource type, create a custom policy definition that deploys a diagnostic setting to your Log Analytics workspace. The documentation shows an example for SQL databases:

PowerShell:

    New-AzPolicyDefinition -name "Deploy Diagnostic Settings for SQL Server database to Log Analytics workspace" \
      -policy .\Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.rules.json \
      -parameter .\Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\azurepolicy.parameters.json \
      -mode All -Metadata '{"category":"Monitoring"}'

Azure CLI:

    az policy definition create \
      --name 'deploy-diag-setting-sql-database--workspace' \
      --display-name 'Deploy Diagnostic Settings for SQL Server database to Log Analytics workspace' \
      --rules 'Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\\azurepolicy.rules.json' \
      --params 'Apply-Diag-Settings-LA-Microsoft.Sql-servers-databases\\azurepolicy.parameters.json' \
      --subscription 'AzureMonitor_Docs' \
      --mode All

Use an initiative to cover multiple resource types

A single policy cannot cover multiple resource types, but a single initiative can.
Create an initiative that includes:
- All built-in diagnostic-setting policies for each resource type you need (e.g., MySQL flexible servers, PostgreSQL flexible servers, others in the Monitoring category).
- Any custom diagnostic-setting policies you created (e.g., for App Service plans, SQL elastic pools, etc.).
Recommendations for the initiative:
- Set Category to Monitoring so it’s grouped with related policies.
- Use initiative-level parameters for shared settings such as Log Analytics workspace ID and (if applicable) Event Hub details. This allows specifying the workspace once for all policies in the initiative and changing it centrally later.

Assigning at management group scope

To assign at management group scope using built-in policies/initiatives from the Azure portal:
1. Go to Policy → Definitions.
2. Filter Category = Monitoring and Definition type = Initiative or Policy.
3. For initiatives, search for audit or allLogs and select the initiative for your destination; for individual policies, search by resource type and destination.
4. On the selected initiative/policy pane, select Assign initiative.
5. On the Basics tab, set Scope to the management group that contains your subscriptions. The initiative/policy will apply to all resources in that scope (with optional exclusions and resource selectors if needed).
6. On the Parameters tab, select the Log Analytics workspace (and other destination parameters) that all policies in the initiative should use.
7. On the Remediation tab, select Create a remediation task and ensure a system-assigned managed identity is created. This ensures existing resources are brought into compliance.
8. Select Review + create → Create.
For custom initiatives (e.g., your own diagnostic-setting policies):
- Create the initiative (with Category = Monitoring) and add all relevant policy definitions.
- Use initiative parameters for workspace and other shared values.
- Then assign the initiative to the management group as above.

Ensuring coverage for existing and new resources

New resources:
- Once the initiative is assigned with enforcement enabled, any new resource of a covered type created in the management group scope will be evaluated and, with DeployIfNotExists policies, automatically configured with diagnostic settings to the specified Log Analytics workspace.
Existing resources:
- Create a remediation task when assigning the initiative. This deploys diagnostic settings to existing resources that are currently noncompliant.
- The documentation explicitly notes that remediation tasks are required to apply diagnostic settings to already-created resources.

VM insights and VM monitoring via policy

For VM insights, use the VM insights policy initiatives and assign them at management group, subscription, or resource group scope:
- In the Azure portal, go to Policy → Assignments → Assign initiative.
- On Basics, set Scope to the management group.
- Select one of the VM insights initiatives as the Initiative definition.
- Configure parameters (e.g., Log Analytics workspace) and remediation.
After assignment, compliance can be reviewed via the VM insights policy coverage view and Policy compliance views. Compliance state indicates whether agents (Azure Monitor Agent or Log Analytics agent and Dependency agent) are deployed to all VMs in scope.

Compliance and monitoring

Use Policy → Compliance to review initiative compliance at management group or subscription level. Noncompliant resources indicate where diagnostic settings or agents are missing and may need remediation.
For VM insights specifically, use Monitor → Insights → Virtual machines → Other onboarding options → Enable using policy to view Azure Monitor for VMs Policy Coverage, including:
- Scope (management group or subscription)
- Total VMs
- Assignment coverage
- Compliance state

Summary

Separate policy definitions are required per resource type; a single policy cannot cover all resource types.
Use a single Monitoring-category initiative that aggregates all relevant diagnostic-setting policies (built-in and custom) and VM insights initiatives.
Assign the initiative at management group scope with initiative-level parameters for the Log Analytics workspace and create remediation tasks to cover both existing and new resources.

References:

Share via

Enable Azure Policy to Automatically Configure Log Analytics and VM Insights Across Subscriptions via Management Group Scope

1 answer

Your answer