create Azure Entra ID Diagnostic Setting using Powershell

Question

is there a way to create Diagnostic Settings for Entra ID, which collects all the logs except for signinlogs and sends them to log analytics workspace and to storage account using Powershell?

Just to be clear, I am not speaking about resource-specific Diagnostic Settings, those can be retrieved/deleted using Get/Remove-AzDiagnosticSetting -ResourceId cmdlet.

I am asking this question because I like to automate it

Answer 1

To create Diagnostic Settings for Entra ID which collects all the logs except for SignInLogs, make use of below PowerShell script:

Connect-AzAccount

# Generate an access token for the management API
$accessToken = (Get-AzAccessToken -ResourceUrl "https://management.azure.com").Token

# Set the API endpoint for creating the diagnostic setting
$apiEndpoint = "https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/testdsruk?api-version=2017-04-01-preview"

# Define the body of the request as a JSON string
$body = @"
{
    "properties": {
        "logs": [
            {
                "category": "AuditLogs",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "ProvisioningLogs",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "NonInteractiveUserSignInLogs",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "RiskyUsers",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "UserRiskEvents",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "NetworkAccessTrafficLogs",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "RiskyServicePrincipals",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "ServicePrincipalRiskEvents",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "EnrichedOffice365AuditLogs",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            },
            {
                "category": "MicrosoftGraphActivityLogs",
                "enabled": true,
                "retentionPolicy": {
                    "days": 0,
                    "enabled": false
                }
            }
        ],
        "metrics": [],
        "storageAccountId": "/subscriptions/SubID/resourceGroups/ruk/providers/Microsoft.Storage/storageAccounts/ruk9e84"
    }
}
"@

# Set the headers
$headers = @{
    "Authorization" = "Bearer $accessToken"
    "Content-Type" = "application/json"
}

# Make the PUT request to create the diagnostic setting
$response = Invoke-RestMethod -Uri $apiEndpoint -Headers $headers -Method Put -Body $body

# Output the result
Write-Output "Diagnostic setting created successfully."

The Microsoft Entra ID Diagnostic Settings created successfully:

Except the SignInLogs, all other logs are selected:

Based on your requirement you can modify the script to configure the logs and collect the logs.

To fetch and delete the Microsoft Entra ID Diagnostic Settings, refer this SO Thread by me.