From 4a2628037e3125e19fd0970471341a133eb8fabc Mon Sep 17 00:00:00 2001 From: juanq7 <63010956+juanq7@users.noreply.github.com> Date: Thu, 11 Jun 2026 08:40:24 -0700 Subject: [PATCH 1/2] Add README for Azure Bastion diagnostic logging policy This README provides information on the Azure Policy Definition script for enabling diagnostic logging for Azure Bastion. --- .../README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 Azure Bastion/Policy - Azure Policy Definitions/Policy - Enable Diagnostic Logging for Azure Bastion/README.md diff --git a/Azure Bastion/Policy - Azure Policy Definitions/Policy - Enable Diagnostic Logging for Azure Bastion/README.md b/Azure Bastion/Policy - Azure Policy Definitions/Policy - Enable Diagnostic Logging for Azure Bastion/README.md new file mode 100644 index 00000000..202fffc9 --- /dev/null +++ b/Azure Bastion/Policy - Azure Policy Definitions/Policy - Enable Diagnostic Logging for Azure Bastion/README.md @@ -0,0 +1,17 @@ +# Enable Diagnostic Logs for Azure Bastion - JSON + +This is the Azure Policy Definition script to verify Azure Bastion diagnostic settings are enabled and flowing to a log analytics workspace. + +## Contributing + +This project welcomes contributions and suggestions. Most contributions require you to agree to a +Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us +the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. + +When you submit a pull request, a CLA bot will automatically determine whether you need to provide +a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions +provided by the bot. You will only need to do this once across all repos using our CLA. + +This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). +For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or +contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. From 79e2e40896192984becfc968b39a34095826b974 Mon Sep 17 00:00:00 2001 From: juanq7 <63010956+juanq7@users.noreply.github.com> Date: Thu, 11 Jun 2026 08:42:03 -0700 Subject: [PATCH 2/2] Add Azure Bastion diagnostic logging policy This policy audits Azure Bastion hosts to ensure that diagnostic settings are configured correctly, sending necessary logs and metrics to a Log Analytics workspace. --- .../azure-bastion-diagnostic-policy.json | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 Azure Bastion/Policy - Azure Policy Definitions/Policy - Enable Diagnostic Logging for Azure Bastion/azure-bastion-diagnostic-policy.json diff --git a/Azure Bastion/Policy - Azure Policy Definitions/Policy - Enable Diagnostic Logging for Azure Bastion/azure-bastion-diagnostic-policy.json b/Azure Bastion/Policy - Azure Policy Definitions/Policy - Enable Diagnostic Logging for Azure Bastion/azure-bastion-diagnostic-policy.json new file mode 100644 index 00000000..2dd81c99 --- /dev/null +++ b/Azure Bastion/Policy - Azure Policy Definitions/Policy - Enable Diagnostic Logging for Azure Bastion/azure-bastion-diagnostic-policy.json @@ -0,0 +1,53 @@ +{ + "displayName": "Audit Diagnostic Logging for Azure Bastion", + "description": "Audits Azure Bastion hosts (Microsoft.Network/bastionHosts) to ensure diagnostic settings are configured to send the required logs (BastionAuditLogs, audit, allLogs) and metrics (AllMetrics) to a Log Analytics workspace.", + "policyType": "Custom", + "mode": "Indexed", + "metadata": { + "category": "Monitoring", + "version": "1.0.0" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "AuditIfNotExists", + "Deny", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/bastionHosts" + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "exists": "true" + } + ] + } + } + } + } + }