有没有办法为 Entra ID 创建诊断设置,它会收集除登录日志之外的所有日志,并使用 Powershell 将它们发送到日志分析工作区和存储帐户?
需要明确的是,我不是在谈论特定于资源的诊断设置,可以使用 Get/Remove-AzDiagnosticSetting -ResourceId cmdlet 检索/删除这些设置。
我问这个问题是因为我喜欢自动化
要为 Entra ID 创建诊断设置(收集除
SignInLogs
之外的所有日志),请使用以下 PowerShell 脚本:
Connect-AzAccount
# Generate an access token for the management API
$accessToken = (Get-AzAccessToken -ResourceUrl "https://management.azure.com").Token
# Set the API endpoint for creating the diagnostic setting
$apiEndpoint = "https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/testdsruk?api-version=2017-04-01-preview"
# Define the body of the request as a JSON string
$body = @"
{
"properties": {
"logs": [
{
"category": "AuditLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "ProvisioningLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "NonInteractiveUserSignInLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "RiskyUsers",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "UserRiskEvents",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "NetworkAccessTrafficLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "RiskyServicePrincipals",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "ServicePrincipalRiskEvents",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "EnrichedOffice365AuditLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "MicrosoftGraphActivityLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
}
],
"metrics": [],
"storageAccountId": "/subscriptions/SubID/resourceGroups/ruk/providers/Microsoft.Storage/storageAccounts/ruk9e84"
}
}
"@
# Set the headers
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
}
# Make the PUT request to create the diagnostic setting
$response = Invoke-RestMethod -Uri $apiEndpoint -Headers $headers -Method Put -Body $body
# Output the result
Write-Output "Diagnostic setting created successfully."
Microsoft Entra ID 诊断设置已成功创建:
除
SignInLogs
外,其他日志均被选中:
您可以根据您的需求修改脚本来配置日志并收集日志。
要获取并删除 Microsoft Entra ID 诊断设置,请参阅我的此 SO 线程。