1. Assigning diagnostic settings to audit Azure AD logs

    TypeScript

    To assign diagnostic settings to audit Azure Active Directory (Azure AD) logs in Azure, we'll utilize Pulumi's infrastructure as code capabilities with the azure-native provider. The resource we'll focus on is azure-native.aadiam.DiagnosticSetting.

    Diagnostic settings in Azure allow you to export platform logs and metrics. These can be sent to different destinations, such as Azure Monitor Logs, Event Hubs, or Azure Storage. In the case of Azure AD logs, we use the diagnostic settings to export the logs for auditing or monitoring purposes.

    Here's what we'll do in the Pulumi program:

    1. Configure the necessary imports and setup for Pulumi.
    2. Create an instance of azure-native.aadiam.DiagnosticSetting.
    3. Define the logs we want to collect and the retention policy for them.
    4. Specify the destination for the logs; in this example, we'll use a Log Analytics workspace, but you can also use an Event Hub, Storage Account, or other supported destinations.

    Below is the TypeScript program that performs the above steps:

    import * as pulumi from "@pulumi/pulumi"; import * as azure_native from "@pulumi/azure-native"; // Set up a config to allow setting the name of the Diagnostic Setting and other parameters. const config = new pulumi.Config(); const diagnosticSettingName = config.require("diagnosticSettingName"); const logAnalyticsWorkspaceId = config.require("logAnalyticsWorkspaceId"); // Workspace ID for Azure Log Analytics. // Create a Diagnostic Setting to audit Azure AD logs. const adDiagnosticSetting = new azure_native.aadiam.DiagnosticSetting(diagnosticSettingName, { name: diagnosticSettingName, // Define the scope for the diagnostic settings (typically the Azure AD tenant). // Scope format: "tenants/{tenantId}" scope: config.require("tenantScope"), // Define the logs you want to export; the category depends on what Azure AD logs you need. logs: [{ category: "AuditLogs", // or "SignInLogs", as needed enabled: true, retentionPolicy: { days: 0, // Number of days to retain the data; set to 0 for unlimited. enabled: true, }, }], // Set the workspaceId if you want to send the logs to Azure Monitor Logs (Log Analytics). // Replace with appropriate destination if using an Event Hub or Storage Account. workspaceId: logAnalyticsWorkspaceId, }); // Export the ID of the Azure AD Diagnostic Setting. export const adDiagnosticSettingId = adDiagnosticSetting.id;

    Make sure you have configured your Azure provider with the appropriate credentials before running this program. You can achieve this through the Pulumi CLI using pulumi config set azure-native:<property> or by setting the environment variables for the Azure authentication.

    This program creates a diagnostic setting named based on your provided configuration that exports the specified category of logs to an Azure Log Analytics workspace. Adjust the category, retention policy days, and destination as per your requirements.