Simplifying Diagnostic settings in Azure using Category Groups

Effective monitoring of resources is critical in a well-managed cloud deployment. Within Azure, diagnostic settings allow you to send performance metrics or logs to a destination such as a Log Analytics workspace, Azure storage account, Event Hub, or an Azure Monitor partner integration.

Configuring diagnostics has always required manually specifying exactly which log types you wish to capture. Azure resources often have many types of diagnostic logs, and it can be difficult for organisations to know what they need. For example, when you are configuring Azure Virtual Desktop logs, you have the following log categories:

Whereas with a Key Vault, you have these options.

Importantly, the monitoring capability of Azure is always changing. Microsoft introduces new log types all the time, such as the recently added NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, and ManagedIdentitySignInLogs for Azure AD. Staying up to date means you must manually update your diagnostic settings to include these new logs.

A great solution to manually specifying logs and having to update diagnostics is to use Category Groups instead.

The working concept of category groups is similar to dynamic user or device groups in Azure AD, where users/devices are added or removed automatically. With Category groups, the groupings are controlled by Microsoft meaning you don’t have to stay up to date on each log category.

Currently, there are two category groups available:

  • All Logs – Every resource log offered by the resource
  • Audit – All resource logs that record customer interactions with data or the settings of the service

Using category groups, it becomes simple to do something like send Audit Logs to a Log Analytics Workspace, and All Logs to a storage account.

We can configure diagnostic settings using Azure Portal, PowerShell, Azure CLI, Bicep or ARM templates. In this post, we will be using Azure Portal and Bicep. As of writing, not all resources have category groups available, so make sure to reference the documentation for your specific service.

When configuring the Azure Key Vault diagnostic setting using the Azure portal, you will see that we have the following category groups available.

Configuring the same setting using Bicep we can first get the template format reference from here.  If we look at the LogSettings we have categoryGroup available.

If we want to enable all logs we can update the categoryGroup setting value to ‘allLogs” in the logsettings section of our bicep template as shown in the screenshot below.


Create diagnostic settings to send Azure Monitor platform metrics and logs to different destinations – Azure Monitor | Microsoft Docs

Microsoft Insights Diagnostic Settings

[mailpoet_form id="1"]

Other Recent Blogs

Level 9, 360 Collins Street, 
Melbourne VIC 3000

Level 2, 24 Campbell St,
Sydney NSW 2000

200 Adelaide St,
Brisbane QLD 4000

191 St Georges Terrace
Perth WA 6000

Level 10, 41 Shortland Street

Part of

Arinco trades as Arinco (VIC) Pty Ltd and Arinco (NSW) Pty Ltd. © 2023 All Rights Reserved Arinco™ | Privacy Policy
Arinco acknowledges the Traditional Owners of the land on which our offices are situated, and pay our respects to their Elders past, present and emerging.

Get started on the right path to cloud success today. Our Crew are standing by to answer your questions and get you up and running.