Azure Bicep Diagnostics Settings for Active Directory

Raymondo
June 5, 2023
157 views
0 votes
2 Answers

I am trying to create diagnostics settings using Bicep to export diagnostics from AAD to an Event Hub.

The part I am unsure of is the scope.

I am rewording my question as the first answer below and comments is leading to many a dead end.

My Facade Bicep Code:

module diagnosticsAAD 'diagnosticSettingAAD.bicep' = [for ds in diagnosticSettingsAAD: {
  name: 'Diagnostics-${ds.diagnosticType}'
  scope: resourceGroup(ds.resourceSubId, ds.resourceRG)
  dependsOn: [eventHubs]
  params: {
    diagnosticName: ds.diagnosticName
    eventHubAuthorizationRuleId: ds.eventHubAuthorizationRuleId
    eventHubName: ds.eventHubName
    diagnosticType: ds.diagnosticType
    resourceName: ds.resourceName
    logs: ds.logs
    metrics: ds.metrics
  }
}]

The underlying Bicep Module:

@description('Diagnostic name')
param diagnosticName string

@description('Auth ID to allow diags to be saved to Event Hub')
param eventHubAuthorizationRuleId string
@description('Event Hub name')
param eventHubName string

@description('Type of Diagnostic we are trying to create')
@allowed(['Firewall', 'SQLServer', 'AAD'])
param diagnosticType string
@description('Name of Resource we are trying to place the diagnostic on')
param resourceName string

@description('Array of Diagnostic Logs')
param logs array
@description('Array of Diagnostic Metrics')
param metrics array

// Set up Logs
var diagnosticsLogConfig = [for category in logs: {
  category: category
  enabled: true
  retentionPolicy: {
    enabled: true
    days: 28
  }
}]

// Set Up Metrics
var diagnosticsMetricConfig = [for category in metrics: {
  category: category
  enabled: true
  retentionPolicy: {
    enabled: true
    days: 28
  }
}]
// ----------------------------------------------------------------



resource activeDir 'Microsoft.AzureActiveDirectory/b2cDirectories@2021-04-01' existing = {
  name: resourceName
}

// Create Diagnostics by Type
resource  diagAADSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (diagnosticType  ==  'AAD')  { 
  name:  diagnosticName  
  scope: activeDir
  properties:  { 
    eventHubAuthorizationRuleId: eventHubAuthorizationRuleId != null ? eventHubAuthorizationRuleId : null  
    eventHubName: eventHubName != null ? eventHubName : null  
    logs: diagnosticsLogConfig != null ? diagnosticsLogConfig : [] 
    metrics: diagnosticsMetricConfig != null ? diagnosticsMetricConfig : [] 
    logAnalyticsDestinationType: 'Dedicated' 
   } 
}

And finally the Json:

{
    "diagnosticSettingsAAD": {
        "value": [
            {
                "diagnosticType": "AAD",
                "diagnosticName": "my-diag",
                "resourceSubId": "123",             
                "resourceName": "AAD (Dev)",
                "resourceRG": "my-rg",          
                "eventHubName": "my-evh",
                "eventHubAuthorizationRuleId": "/subscriptions/123/resourcegroups/my-rg/providers/Microsoft.EventHub/namespaces/my-evhns/authorizationrules/RootManageSharedAccessKey",
                "logs": [
                    "AuditLogs",
                    "SignInLogs",
                    "ManagedIdentitySignInLogs",
                    "ProvisioningLogs"
                ],
                "metrics": []                   
            }       
        ]
    }
}

and the error returned is:

The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.",rn    "details": [rn      {rn        "code": "DeploymentFailed",rn        "target": "/subscriptions/123/resourceGroups/my-rg/providers/Microsoft.Resources/deployments/Diagnostics-AAD",rn        "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",rn        "details": [rn          {rn            "code": "ResourceNotFound",rn            "message": "The Resource 'Microsoft.AzureActiveDirectory/b2cDirectories/AAD (Dev)' under resource group 'my-rg' was not found.

It appear that it is scope, unless the message is a red-herring. I have tried scope: tenant() and i get a compilation error in VS Code stating that it needs to be at resource group level.

Any suggestions would be appreciated

Answers

Chosen as BEST ANSWER

In the end I used the following code as we aren't using b2c as per code originally supplied by Jahnavi.

resource aadDiagnosticSetttings 'microsoft.aadiam/diagnosticSettings@2017-04-01' = if(diagnosticType == 'AAD') {
  name: diagnosticName
  scope: tenant()
  properties: {
    eventHubAuthorizationRuleId: eventHubAuthorizationRuleId != null ? eventHubAuthorizationRuleId : null  
    eventHubName: eventHubName != null ? eventHubName : null  
    logs: diagnosticsLogConfig != null ? diagnosticsLogConfig : [] 
  }
}

(Edit)

To obtain the scope of the resource, you can use the resourceId( ) function in bicep by giving the resource Name, provider, resource Type etc. as detailed in the given MS Doc.

scope:resourceId('Microsoft.AzureActiveDirectory/b2cDirectories', <resource>)

After adding the required scope, your code modified as below:

resource  diagAADSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview'  =  if  (diagnosticType  ==  'AAD') 
{ 
  name:  diagnosticName  
  scope: resourceId('Microsoft.AzureActiveDirectory/b2cDirectories', resourceName)  
 properties: 
 { 
   eventHubAuthorizationRuleId: eventHubAuthorizationRuleId !=  null  ?  eventHubAuthorizationRuleId :  null  
   eventHubName:  eventHubName  !=  null  ?  eventHubName :  null  
   logs:  diagnosticsLogConfig  !=  null  ?  diagnosticsLogConfig : [] 
   metrics:  diagnosticsMetricConfig  !=  null  ? diagnosticsMetricConfig : [] 
   logAnalyticsDestinationType:  'Dedicated' 
   } 
}

I ran the sample template with the scope parameter and was successfully deployed.

Please signup or login to give your own answer.

Click here to cancel reply.