Microsofthi ShaharAviv , I have some questions about the 'new' way to collect Azure Activity logs using Azure Policy.
The 'new' way:
Sentinel > Azure Activity Log Connector > create a policy to pull the logs.
Please confirm my assumptions below:
- It is NOT recommended to assign a policy at the root tenant level - this will fail unless you apply additional roles to the global admin. You should use subscription groups and not the root subscription - correct?
- It IS recommended to assign this policy at either a subscription level or a subscription group level - correct?
- For any existing subscriptions you may need to apply a remediation as the policy will only apply to NEW resources - correct?
In some cases I've created an Azure Policy and it shows it 'failed compliance' because there are no matching resources in the subscription - why does this happen? I expect this policy to simply log all azure activity under the scope of 1 or more subscriptions.
Thanks!
