问题描述
我正在尝试使用自定义策略启用订阅的诊断设置.但是,合规性报告始终显示为0/0;基本上,它不是在管理组下标识订阅.为了确认此行为,我创建了一个自定义策略,复制了内置策略在您的订阅上启用Azure安全中心".它还显示0/0.在订阅级别使用DeployIfNotExists策略部署某些内容是否有限制?
I am trying to enable Diagnostic Settings of subscriptions using a custom policy. But, the compliance report always shows 0/0; basically it is not identifying the subscriptions under a management group. To confirm this behavior, I created a custom policy, duplicating the BuiltIn policy "Enable Azure Security Center on your subscription". It is also showing 0/0. Is there any limitation to deploy something using a DeployIfNotExists policy at subscription level?
推荐答案
Azure策略能够在订阅级别部署资源.您确定在订阅"的父级管理"组中设置了策略分配"范围吗?
Azure Policy is capable of deploying resources at the Subscription level. Are you sure that your scope for the Policy Assignment is set at the parent Management group of your Subscriptions?
这应该是您要寻找的.此目录中有一些示例,可为订阅上的活动日志创建诊断设置,该诊断设置指向存储帐户,Log Analytics工作区或Eventhub.以下是指向日志分析工作区的deployIfNotExists策略的链接.
This should be what you are looking for. There are examples in this directory for creating diagnostic settings for Activity Logs on a Subscription that point to a Storage Account, Log Analytics Workspace, or an Eventhub. Below is a link for a deployIfNotExists policy that points to a Log Analytics Workspace.
https://github.com/Azure/Community-Policy/blob/master/Policies/Monitoring/deploy-diagnostic-setting-for-activity-log-log-analytics/azurepolicy.json(all credit for this policy to the original author)
这篇关于订阅级别的DeployIfNotExists策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!