Azure Management Groups Activity logs to Azure Monitor

This blog post shows you how to forward your Azure Management Group Activity logs to Azure Monitor or any SIEM product that you have in your environment. There is a known limitation that this cannot be configured in the Azure Portal. It needs to be enabled using the backed API and this post will provide the necessary details for it. This is important for some Azure Customers as Management Groups defines the organizations top level governances, including Azure Policy and Access Management.

Problem Statement

As of today (20/06/2021), Azure Portal does not allow you to configure Diagnostic settings at the management group level. If you go to Diagnostic settings at the management groups, it takes you to a page where it asks again for a resource to configure diagnostic settings on – see below animation.

MG Diagnostic Issue Animation

Not that you don’t get a place to configure diagnostic setting for management groups. This is a known limitation. You can see the activity logs on the Azure Portal for Management groups if you go to the Activity Logs pane on a management group; however, you cannot forward them to Azure Monitor nor any SIEM project. This is a problem for some customers, as they want to use Azure Monitor to monitor the entire cloud landscape rather than browsing through different locations. Furthermore, some customers want to query a single log analytics workspace for platform level analytics. The only way to do that is to forward all the logs to the Azure Monitor. Without wasting anymore time, lets look how it can be done.

Solution

The good news is - there is a way that this can be achieved. The diagnostic settings at the management group level can only be enabled and configured via the APIs at this time. The API is available in the following location.

https://docs.microsoft.com/en-us/rest/api/monitor/managementgroupdiagnosticsettings/createorupdate

With this API you can configure diagnostic settings on the management groups. Diagnostic settings allow you to configure forwarding rule for activity logs to 3 locations, consistent with any other resource type in Azure. They are as below.

  1. Log analytics workspace
  2. Storage account
  3. Event Hubs.

Before you call this API, you will need to have a valid bearer token acquired through the Azure AD. If you are unfamiliar with the process on calling the Azure API’s. This API documentation is a good place to start. There are certain pre-requisites items such as creating a service principal and assigning permissions that needs to occur, this is detailed in the documentation along with a youtube video.
I used Postman as the tool to call the above API. Following are some of the details of the API calls I made to set this diagnostic settings

Get the Bearer Token

I used the following API to get the Bearer token from the Azure AD.

1
https://login.microsoftonline.com/<tenant id>/oauth2/token

The request and the response screenshot in Postman is below.
Bearer Token Screenshot

List the Existing Diagnostic Settings on a Given Management Group.

I used the following API to list the existing diagnostic configuration on the management group.

1
https://management.azure.com/providers/microsoft.management/managementGroups/wtt-ml-sandboxes/providers/microsoft.insights/diagnosticSettings?api-version=2020-01-01-preview

The request and response of the GET call in Postman looks like below.

Get Request

Configure a Diagnostic Setting to send logs to a Log Analytics workspace.

I used the following API to update the diagnostic configuration on the management group wtt-ml-sandboxes.

1
https://management.azure.com/providers/microsoft.management/managementGroups/wtt-ml-sandboxes/providers/microsoft.insights/diagnosticSettings/testdiag?api-version=2020-01-01-preview

The request and response of the PUT call in Postman looks like below.
Put Request

This is all you need to configure the diagnostic settings on the management group. The configuration takes 5-10 minutes for logs to appear in the log analytics workspace. If you go to the Log analytics workspace, you will see the data getting logged in the same AzureActivity Logs table.

Log Analytics Screenshot 1

The log format is as below.

Log Analytics Screenshot 2

You can use this table and the data in any Log Analytics query that you want to formulate.