Azure Monitor Baseline Alerts
Download AlertsGlossaryGitHubGitHub IssuesToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Deploy via the Azure Portal (Preview)

Deploy to Azure


Deployment Settings Blade

Deployment Settings Blade


  • Change the values on the Deployment Settings blade to the following instructions:
    • Choose the Management Group where you wish to deploy the policies and the initiatives, usually called the “pseudo root management group”. For example, in ALZ terminology, this would be the “Intermediate Root Management Group” (directly beneath the “Tenant Root Group”).
    • Choose the value of Region to specify your Azure location of choice.
    • Change the value of Resource group for baseline alerts to the name of the resource group where the activity logs, resource health alerts, actions groups and alert processing rules will be deployed in.
    • Choose the value of Resource group location to specify the location for said resource group.
    • Choose the value of Bring Your Own User Assigned Managed Identity to specify if you want to bring your own user assigned managed identity for monitoring purpose.
    • Define the value of User Assigned Managed Identity Name to specify the name of the user assigned managed identity for monitoring purpose.
    • Choose the value of Bring Your Own User Assigned Managed Identity Resource Id to specify the resource ID of the user assigned managed identity if you want to bring your own user assigned managed identity for monitoring purpose.
    • Choose the value of Management Subscription Id to specify the subscription ID where the user assigned managed identity will be created.
    • Choose the value of Customer Usage Selection Option Microsoft can identify the deployments of the Azure Resource Manager and Bicep templates with the deployed Azure resources. Microsoft can correlate these resources used to support the deployments. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through customer usage attribution. The data is collected and governed by Microsoft’s privacy policies, located at the trust center.
    • Change the value of Resource Group Tags to specify the tags to be added to said resource group.

Management Groups Settings Blade

Management Groups Settings Blade


In the Management Groups Settings blade, change the value of the policy set definitions you would like to enable according to the following instructions:

  • Set the value of Enable AMBA Service Health to Yes. This initiative deploys Azure Monitor Baseline Alerts to monitor Service Health Events such as Service issues, Planned maintenance, Health advisories, Security advisories, and Resource health together with action groups for Service Health alerts notifications.

  • Change the value of Enable AMBA Connectivity to Yes. This initiative deploys Azure Monitor Baseline Alerts to monitor Network components such as Azure Firewalls, ExpressRoute, VPN, and Private DNS Zones.

  • Change the value of Enable AMBA Identity to Yes. This initiative deploys Azure Monitor Baseline Alerts to monitor Identity services such as Key Vaults, Managed HSMs.

  • Change the value of Enable AMBA Management to Yes. This initiative deploys Azure Monitor Baseline Alerts to monitor Management services such as Log Analytics Workspaces, Storage Accounts, Automation Accounts.

  • Change the value of Enable AMBA Hybrid VM to Yes This initiative deploys Azure Monitor Baseline Alerts to monitor Azure Arc-enabled Servers.

  • Change the value of Enable AMBA Azure VM to Yes This initiative deploys Azure Monitor Baseline Alerts to monitor Azure Virtual Machines.

  • Change the value of Enable AMBA Key Management to Yes This initiative deploys Azure Monitor Baseline Alerts to monitor Key Management Services such as Azure Key Vault, and Managed HSM.

  • Change the value of Enable AMBA Load Balancing to Yes This initiative deploys Azure Monitor Baseline Alerts to monitor Load Balancing Services such as Load Balancer, Application Gateway, Traffic Manager, and Azure Front Door.

  • Change the value of Enable AMBA Network Changes to Yes This initiative implements Azure Monitor Baseline Alerts to monitor alterations in Network Routing and Security, such as modifications to Route Tables and the removal of Network Security Groups.

  • Change the value of Enable AMBA Recovery Services to Yes This initiative deploys Azure Monitor Baseline Alerts to monitor Recovery Services such as Azure Backup, and Azure Site Recovery.

  • Change the value of Enable AMBA Storage to Yes This initiative deploys Azure Monitor Baseline Alerts to monitor Storage Services such as Storage accounts.

  • Change the value of Enable AMBA Web to Yes This initiative deploys Azure Monitor Baseline Alerts to monitor Web Services such as App Services.

  • Set the value of Enable AMBA Notification Assets to Yes. This configuration will deploy notification assets broad notifications.

  • Change the values on the Management Groups Settings blade according to the following instructions:

If you are aligned to ALZ

  • Choose the value of Enterprise Scale Company Management Group to the management group ID for Platform.
  • Choose the value of Platform Management Group to the management group ID for Platform.
  • Choose the value of Connectivity Management Group to the management group ID for Connectivity.
  • Choose the value of Identity Management Group to the management group ID for Identity.
  • Choose the value of Management Management Group to the management group ID for Management.
  • Choose the value of Landing Zone Management Group to the management group ID for Landing Zones.

If you are unaligned to ALZ

  • Choose the value of Enterprise Scale Company Management Group to the management group ID for Platform. The same management group ID may be repeated.
  • Choose the value of Platform Management Group to the management group ID for Platform. The same management group ID may be repeated.
  • Choose the value of Connectivity Management Group to the management group ID for Connectivity. The same management group ID may be repeated.
  • Choose the value of Identity Management Group to the management group ID for Identity. The same management group ID may be repeated.
  • Choose the value of Management Management Group to the management group ID for Management. The same management group ID may be repeated.
  • Choose the value of Landing Zone Management Group to the management group ID for Landing Zones. The same management group ID may be repeated.
For ease of deployment and maintenance we have kept the same variables.

If you have a single management group

  • Choose the value of Enterprise Scale Company Management Group to the pseudo root management group ID, also called the “Intermediate Root Management Group”.
  • Choose the value of Platform Management Group to the pseudo root management group ID, also called the “Intermediate Root Management Group”.
  • Choose the value of Connectivity Management Group to the pseudo root management group ID, also called the “Intermediate Root Management Group”.
  • Choose the value of Identity Management Group to the pseudo root management group ID, also called the “Intermediate Root Management Group”.
  • Choose the value of Management Management Group to the pseudo root management group ID, also called the “Intermediate Root Management Group”.
  • Choose the value of Landing Zone Management Group to the pseudo root management group ID, also called the “Intermediate Root Management Group”.
For ease of deployment and maintenance we have kept the same variables.

Notification Settings Blade

Notification Settings Blade

While it’s technically possible to not add any notification information (email, ARM Role, Logic App, etc.) it is highly recommended to configure at least one option.

  • Change the values on the Notification Settings Blade to the following instructions:

    • Change the value of Bring Your Own Notifications (BYON) to Yes if you want to use existing Action Groups and Alert Processing Rules. The BYON feature allows you to set the necessary parameter values before deploying the ALZ pattern. You can either specify one or more existing Action Groups and one Alert Processing Rule, or provide target values so that the Action Group and Alert Processing Rule will be created using the actions specified in the parameter file. You may also leave the values blank, which will result in the creation of an empty Action Group.

    • Specify the email address(es) for Email contact for action group notifications to receive notifications for alerts, including Service Health alerts. Leave this field blank if email notifications are not required.

    • Specify the URI(s) for Webhook Service Uri to be used as actions for alerts, including Service Health alerts. Leave this field blank if no Webhook is used.

    • Select the Azure Resource Manager Role(s) for Arm Role ID to receive notifications for alerts, including Service Health alerts. Leave this field blank if no Azure Resource Manager Role notification is required.

    • Specify the Logic app resource ID for Logicapp Resource ID to be used as an action for alerts, including Service Health alerts. Leave this field blank if no Logic app is used.

    • Update the Logicapp Callback Url with the callback URL of the Logic App you intend to use for alert actions (including Service Health alerts). If no Logic App is used, leave this field blank. To obtain the callback URL, you can either use the Get-AzLogicAppTriggerCallbackUrl PowerShell command or navigate to the Logic App in the Azure portal: go to Logic App Designer, expand the trigger activity (When an HTTP request is received), and copy the URL using the copy icon.

      Get Logic app callback url

    • Specify the Event Hub Resource ID for the Event Hubs to be used as actions for alerts, including Service Health alerts. Leave this field blank if no Event Hubs are used.

    • Specify the Function Resource ID for the Function App to be used as an action for alerts, including Service Health alerts. Leave this field blank if no Function App is used.

    • Update the Function Trigger Url with the trigger URL of the Function App to be used as an action for alerts, including Service Health alerts. Leave this field blank if no Function App is used. To obtain the Function App trigger URL with the corresponding code, navigate to the HTTP-triggered functions in the Azure portal, go to Code + Test, select Get function URL from the top menu, and copy the value in the URL field using the copy icon.

      Get function URL

      It is possible use multiple email addresses, Arm Roles, Webhooks or Event Hubs (not recommended as per ALZ guidance).
Should you set multiple entries, ensure that they are entered in the proper format which is:
- Array format for:
  - Email addresses. Example: ["action1@contoso.com" , "action2@contoso.com" , "action3@contoso.com"]
  - Azure roles. Example: ["8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "b24988ac-6180-42a0-ab88-20f7382dd24c"]
  - Event Hubs. Example: []
  - Webhooks. Example: ["https://br1.br2.com","http://br2.br1.com"]
- Single stringfor:
  - Logic Apps
  - Functions

Next steps

To remediate non-compliant policies, continue with Policy remediation