Forum Discussion
Creating an azure activity logging policy via sentinel for 1 or more subscriptions.
Hi there,
I have questions about the proper procedure for configuring the Azure Activity Log Connector in Sentinel.
The 'old' way, which still seems to work, and it's easy:
Activity Log > Export Activity Logs > enable diagnostics for EACH subscription and point to the log analytics workspace - done!
The 'new' way:
Sentinel > Azure Activity Log Connector > create a policy to pull the logs.
It's this 'new' way I have questions about eg are my assumptions correct:
- It is NOT recommended to assign this policy at the root tenant level - this will fail unless you apply additional roles to the global admin - correct?
- It IS recommended to assign this policy at either a subscription level or a subscription group level - correct?
- For any existing subscriptions you may need to apply a remediation as the policy will only apply to NEW resources - correct?
Your experience on this matter is appreciated.
2 Replies
- https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/moving-azure-activity-connector-to-an-improved-method/ba-p/2479552
From now through 15 Sept 2026, you can manually move to use the Diagnostic Settings as explained here. We will also auto migrate all of the customers. The overall experience will stay the same.
Source: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/moving-azure-activity-connector-to-an-improved-method/ba-p/2479552- Thanks Clive,
I've asked my questions over on the other blog. Hopefully ShaharAviv is still around :).
