az policy definition list --query "[?contains(displayName, 'diagnostic')]" --output tableDiagnostic settings policy
A diagnostic settings policy is an Azure Policy definition or initiative that audits, denies, or deploys diagnostic settings at scale so supported resources send logs and metrics to approved destinations.
Source: Microsoft Learn - Create diagnostic settings at scale by using built-in Azure policies Reviewed 2026-05-13
- Exam trap
- Changing production before checking the exact Azure scope, owner, identity, destination, and rollback or recovery procedure.
- Production check
- Can you name the Azure scope, owner, resource ID, dependency, and rollback or recovery path without guessing?
Article details and learning context
- Aliases
- Azure Policy for diagnostic settings, diagnostic settings Azure Policy, policy-based diagnostic settings, deploy diagnostic settings policy
- Difficulty
- intermediate
- CLI mappings
- 4
- Last verified
- 2026-05-13
Understand the concept
In plain English
Diagnostic settings policy is an Azure Policy approach for auditing or deploying diagnostic settings across resources at management group, subscription, or resource group scope. In Azure, it helps teams enforce observability baselines, reduce missing telemetry, standardize log destinations, and remediate resources that lack required diagnostic settings. Plainly, it is a named part of the architecture that operators can point to when they need evidence, ownership, and a safe change path. A useful glossary entry should explain where it appears, what it controls, what depends on it, and which signal proves it is healthy.
Why it matters
Diagnostic settings policy matters because a small Azure setting can shape customer experience, security posture, operational visibility, and incident recovery. When it is shallowly documented, teams may troubleshoot the wrong service, queue, device, policy, deployment, workspace, or destination while the real dependency remains hidden. In enterprise Azure work, the value is shared language: application, platform, security, data, finance, and operations teams can discuss the same object without guessing. That reduces incident time, improves audit quality, clarifies ownership, and makes production changes safer because failure modes and graph relationships are visible before change. Treat Diagnostic settings policy as production owned when customer traffic, regulated data, device fleets, shared infrastructure, or release automation depends on it.
Technical context
Technically, Diagnostic settings policy appears in Azure Policy definitions, built-in diagnostic settings initiatives, custom policies, policy assignments, managed identity, remediation tasks, Log Analytics workspaces, Event Hubs, and Storage destinations and interacts with Azure Policy, Azure Monitor, Log Analytics Workspace, and Event Hubs. Configuration is reviewed through policy definition, assignment scope, parameters, and managed identity, while operators validate live state through compliance state, noncompliant resources, remediation status, and diagnostic setting created. Scope determines which permissions, logs, commands, and dependencies matter.
Exam context
Compare with
Where it is used
Where you see it
- In Azure Policy, diagnostic settings policy appears when governance teams assign built-in or custom policies to enable telemetry at scale during production review when operators collect repeatable evidence.
- In compliance dashboards, it appears when resources are noncompliant because required diagnostic settings are missing or misconfigured during production review when operators collect repeatable evidence.
- In remediation work, it appears when a managed identity creates diagnostic settings for supported resources after assignment approval during production review when operators collect repeatable evidence.
Common situations
- Audit resources that lack required diagnostic settings.
- Deploy diagnostic settings automatically for supported resource types.
- Remediate observability drift across subscriptions and landing zones.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Diagnostic settings policy in action for insurance Scenario, objectives, solution, measured impact, and takeaway.
Northstar Mutual, a insurance organization, needed to address subscriptions created by different product teams had inconsistent diagnostic settings and weak audit evidence. The architecture team used Diagnostic settings policy as the control point for a measurable production improvement.
- Apply diagnostic baselines at management group scope
- Reduce noncompliant resources below 10 percent
- Centralize logs in approved workspaces
Governance engineers assigned diagnostic settings policies at the platform management group. Parameters pointed to approved Log Analytics workspaces, and assignment managed identities received only the permissions needed for remediation. Compliance state was reviewed weekly, and exceptions required expiry dates. The team validated Diagnostic settings policy in a lower environment, captured before-and-after evidence, and promoted the change through a controlled release with rollback ownership. Runbooks were updated so support engineers could identify the correct scope, identity, dependency, telemetry signal, and approval record without asking the original implementer. The final design connected governance with day-to-day engineering work, which made the change understandable to security, operations, finance, and application stakeholders. The team validated Diagnostic settings policy in a lower environment, captured before-and-after evidence, and promoted the change through a controlled release with rollback ownership.
- Noncompliant resources fell from 48 percent to 7 percent
- Central workspaces received standardized platform logs
- Audit preparation time dropped by three days
A diagnostic settings policy scales observability from a checklist into enforceable governance.
Scenario 02 Diagnostic settings policy in action for public transportation Scenario, objectives, solution, measured impact, and takeaway.
UrbanLink Transit, a public transportation organization, needed to address new resource groups for station systems often launched without Event Hubs routing required by security monitoring. The architecture team used Diagnostic settings policy as the control point for a measurable production improvement.
- Deploy security telemetry routing automatically
- Keep assignment scope limited to station workloads
- Track remediation success for every new resource
The platform team built a custom diagnostic settings policy for supported resource types and assigned it to station subscriptions. Parameters selected the security Event Hubs namespace, while remediation tasks created missing settings after deployment. Unsupported resources were tracked in a separate exception report. The team validated Diagnostic settings policy in a lower environment, captured before-and-after evidence, and promoted the change through a controlled release with rollback ownership. Runbooks were updated so support engineers could identify the correct scope, identity, dependency, telemetry signal, and approval record without asking the original implementer. The final design connected governance with day-to-day engineering work, which made the change understandable to security, operations, finance, and application stakeholders. The team validated Diagnostic settings policy in a lower environment, captured before-and-after evidence, and promoted the change through a controlled release with rollback ownership.
- Telemetry routing appeared within hours of resource creation
- Station workload scope avoided unrelated ingestion cost
- Security analysts received consistent resource logs
Custom diagnostic settings policies are useful when built-ins do not match the exact resource scope or destination.
Scenario 03 Diagnostic settings policy in action for retail ecommerce Scenario, objectives, solution, measured impact, and takeaway.
NimbusRetail Cloud, a retail ecommerce organization, needed to address diagnostic settings were enabled manually, creating high ingestion cost and inconsistent categories across stores. The architecture team used Diagnostic settings policy as the control point for a measurable production improvement.
- Standardize categories by resource type
- Reduce unnecessary Log Analytics ingestion
- Preserve required incident evidence
Architects replaced manual diagnostic setup with policy assignments that used approved category lists per resource type. Remediation created missing settings, while cost reports identified noisy categories. Store teams kept local visibility through workbooks, and platform owners controlled exceptions through policy exemptions. The team validated Diagnostic settings policy in a lower environment, captured before-and-after evidence, and promoted the change through a controlled release with rollback ownership. Runbooks were updated so support engineers could identify the correct scope, identity, dependency, telemetry signal, and approval record without asking the original implementer. The final design connected governance with day-to-day engineering work, which made the change understandable to security, operations, finance, and application stakeholders. The team validated Diagnostic settings policy in a lower environment, captured before-and-after evidence, and promoted the change through a controlled release with rollback ownership.
- Unnecessary ingestion decreased 24 percent
- Required incident categories stayed enabled across stores
- Manual diagnostic setup work was eliminated for new resources
Diagnostic settings policy should govern both coverage and cost, not just switch every log category on.
Azure CLI
CLI checks for Diagnostic settings policy are useful because they turn portal assumptions into repeatable evidence. Start with read-only commands that show scope, state, owner, permissions, destinations, deployment settings, or device records. Run mutating, security-impacting, or cost-impacting commands only after approval, because the wrong scope can affect production availability, spend, access, or telemetry.
Useful for
- Audit resources that lack required diagnostic settings.
- Deploy diagnostic settings automatically for supported resource types.
- Remediate observability drift across subscriptions and landing zones.
Before you run a command
- Run az account show, confirm tenant and subscription, and verify the operator identity has approved read access for the exact Azure scope.
- Confirm resource group, service name, resource ID, environment, owner, and change record before collecting evidence or modifying production configuration.
- Prefer read-only commands first; review any command that creates deployments, changes policy, alters device access, or routes telemetry before running it.
What the output tells you
- Whether the resource, setting, device, deployment, policy, queue, or API Management object exists at the expected Azure scope.
- Which state, target, timestamp, SKU, identity, destination, count, property, or compliance result is visible to the operator.
- Whether the issue is wrong scope, stale configuration, missing permissions, broken telemetry routing, policy drift, device provisioning failure, or release mismatch.
Mapped commands
Diagnostic settings policy operational checks
directaz policy assignment list --scope <scope> --output tableaz policy assignment create --name <assignment-name> --scope <scope> --policy <policy-definition-id> --params @params.jsonaz policy remediation create --name <remediation-name> --policy-assignment <assignment-id> --scope <scope>Architecture context
Diagnostic settings policy belongs to Monitoring and Observability architecture decisions where identity, monitoring, cost ownership, reliability, and production support need shared evidence.
- Security
- Security for Diagnostic settings policy starts with least privilege, trusted configuration, and evidence that access matches workload risk. Review assignment identity permissions, log destination access, scope selection, policy exemptions, and sensitive log routing before approving production use. A common failure is assuming that a working feature, successful deployment, connected device, or populated log destination proves the configuration is safe. Use Microsoft Entra groups, managed identities, RBAC, private connectivity, diagnostic logging, source-controlled definitions, and approval records where applicable. Keep exceptions ticketed, time-bounded, and owned. For regulated workloads, align the term with classification, retention, break-glass, and incident-response procedures. Remove broad access, stale keys, unreviewed contributors, and undocumented exception paths before Diagnostic settings policy becomes an incident path.
- Cost
- Cost for Diagnostic settings policy appears through compute capacity, transaction volume, diagnostic retention, policy remediation, storage consumption, API exposure, message retries, device fleet operations, and the human effort required to recover from mistakes. Review workspace ingestion growth, event hub throughput, storage retention, remediation volume, and noncompliance cleanup before expanding production use. Some costs are direct, such as retained logs, provisioned capacity, storage transactions, or queue processing; others are indirect, such as failed releases, duplicated troubleshooting, emergency restores, and support escalation. Tag related resources, monitor usage, and separate exploratory work from production. A cost review should connect spend to a real owner and measurable value.
- Reliability
- Reliability for Diagnostic settings policy depends on repeatable configuration, tested dependencies, and clear failure signals. Watch remediation success, supported resource types, destination availability, policy evaluation timing, and exception tracking because drift often appears later as failed releases, missing telemetry, stuck messages, failed device provisioning, unavailable APIs, or confusing support evidence. Use lower environments, source-controlled definitions where possible, deployment validation, monitoring, and recovery notes before changing production. Operators should know which resource, endpoint, queue, policy, workspace, device, or downstream application fails first and which metric or log proves the failure. The goal is predictable recovery: detect Diagnostic settings policy drift, preserve service, restore safely, and explain the incident without guessing.
- Performance
- Performance for Diagnostic settings policy depends on workload shape, service limits, data volume, network path, diagnostic destination, policy evaluation, device scale, queue behavior, deployment capacity, and the monitoring path used to confirm success. Review policy evaluation latency, remediation throughput, log ingestion delay, workspace query load, and destination capacity before increasing capacity or retrying blindly. The better fix might be correcting partitioning, reducing log noise, warming an endpoint, tuning queue visibility, selecting a different deployment type, or moving telemetry to a better destination. Measure under representative production conditions. Operators should connect symptoms to evidence: latency, throttling, backlog, failed operations, dropped logs, or stale state.
- Operations
- Operations for Diagnostic settings policy should focus on ownership, observability, and safe repeatability. Standardize names, tags, owner groups, environment labels, diagnostic destinations, runbook links, approval records, and change windows so support teams do not reverse-engineer the platform during incidents. Use read-only CLI, API, policy, diagnostic, or portal checks first, then compare live state with intended configuration. For production, connect alerts, audit events, cost records, graph links, and release notes to the same term. The support question should be simple: who owns it, what changed, and what proves the current state?. Capture owner, scope, evidence, and recovery procedure before changing Diagnostic settings policy in a production environment.
Common mistakes
- Changing production before checking the exact Azure scope, owner, identity, destination, and rollback or recovery procedure.
- Treating a portal screenshot as sufficient evidence when CLI output, activity logs, diagnostics, and source-controlled configuration are repeatable.
- Assuming a name match proves the correct resource when subscriptions, regions, products, device IDs, queues, and workspaces can look similar.