使用 Powershell 创建 Azure Entra ID 诊断设置

问题描述 投票:0回答:1

有没有办法为 Entra ID 创建诊断设置,它会收集除登录日志之外的所有日志,并使用 Powershell 将它们发送到日志分析工作区和存储帐户?

需要明确的是,我不是在谈论特定于资源的诊断设置,可以使用 Get/Remove-AzDiagnosticSetting -ResourceId cmdlet 检索/删除这些设置。

我问这个问题是因为我喜欢自动化

azure powershell azure-diagnostics microsoft-entra-id
1个回答
0
投票

要为 Entra ID 创建诊断设置(收集除 

SignInLogs
之外的所有日志),请使用以下 PowerShell 脚本:

Connect-AzAccount

# Generate an access token for the management API
$accessToken = (Get-AzAccessToken -ResourceUrl "https://management.azure.com").Token

# Set the API endpoint for creating the diagnostic setting
$apiEndpoint = "https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/testdsruk?api-version=2017-04-01-preview"

# Define the body of the request as a JSON string
$body = @"
{
    "properties": {
        "logs": [
            {
                "category": "AuditLogs",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "ProvisioningLogs",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "NonInteractiveUserSignInLogs",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "RiskyUsers",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "UserRiskEvents",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "NetworkAccessTrafficLogs",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "RiskyServicePrincipals",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "ServicePrincipalRiskEvents",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "EnrichedOffice365AuditLogs",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "MicrosoftGraphActivityLogs",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            }
        ],
        "metrics": [],
        "storageAccountId": "/subscriptions/SubID/resourceGroups/ruk/providers/Microsoft.Storage/storageAccounts/ruk9e84"
    }
}
"@

# Set the headers
$headers = @{
    "Authorization" = "Bearer $accessToken"
    "Content-Type" = "application/json"
}

# Make the PUT request to create the diagnostic setting
$response = Invoke-RestMethod -Uri $apiEndpoint -Headers $headers -Method Put -Body $body

# Output the result
Write-Output "Diagnostic setting created successfully."

enter image description here

Microsoft Entra ID 诊断设置已成功创建:

enter image description here

SignInLogs
外,其他日志均被选中:

enter image description here

您可以根据您的需求修改脚本来配置日志并收集日志。

要获取并删除 Microsoft Entra ID 诊断设置,请参阅我的此 SO 线程

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.