Azure Monitor Baseline Alerts
Download AlertsGlossaryGitHubGitHub IssuesToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Deploy via the Azure Portal (Preview)

Deploy to Azure

Deployment Settings Blade

Deployment Settings Blade

  • Change the values on the Deployment Settings blade to the instructions below:
    • Choose the Management Group where you wish to deploy the policies and the initiatives. This is usually the so called “pseudo root management group”, for example, in ALZ terminology, this would be the so called “Intermediate Root Management Group” (directly beneath the “Tenant Root Group”).
    • Choose the value of Region to specify your Azure location of choice.
    • Change the value of Resource group for baseline alerts to the name of the resource group where the activity logs, resource health alerts, actions groups and alert processing rules will be deployed in.
    • Choose the value of Resource group location to specify the location for said resource group.
    • Choose the value of Bring Your Own User Assigned Managed Identity to specify if you want to bring your own user assigned managed identity for monitoring purpose.
    • Define the value of User Assigned Managed Identity Name to specify the name of the user assigned managed identity for monitoring purpose.
    • Choose the value of Bring Your Own User Assigned Managed Identity Resource Id to specify the resource id of the user assigned managed identity if you want to bring your own user assigned managed identity for monitoring purpose.
    • Choose the value of Management Subscription Id to specify the subscription id where the user assigned managed identity will be created.
    • Choose the value of Customer Usage Selection Option Microsoft can identify the deployments of the Azure Resource Manager and Bicep templates with the deployed Azure resources. Microsoft can correlate these resources used to support the deployments. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through customer usage attribution. The data is collected and governed by Microsoft’s privacy policies, located at the trust center.
    • Change the value of Resource Group Tags to specify the tags to be added to said resource group.

Management Groups Settings Blade

  • Change the values on the Management Groups Settings blade to the instructions below:

Management Groups Settings Blade

If you are aligned to ALZ

  • Choose the value of Enterprise Scale Company Management Group to the management group id for Platform.
  • Choose the value of Identity Management Group to the management group id for Identity.
  • Choose the value of Management Management Group to the management group id for Management.
  • Choose the value of Connectivity Management Group to the management group id for Connectivity.
  • Choose the value of Landing Zone Management Group to the management group id for Landing Zones.

If you are unaligned to ALZ

  • Choose the value of Enterprise Scale Company Management Group to the management group id for Platform. The same management group id may be repeated.
  • Choose the value of Identity Management Group to the management group id for Identity. The same management group id may be repeated.
  • Choose the value of Management Management Group to the management group id for Management. The same management group id may be repeated.
  • Choose the value of Connectivity Management Group to the management group id for Connectivity. The same management group id may be repeated.
  • Choose the value of Landing Zone Management Group to the management group id for Landing Zones. The same management group id may be repeated.
For ease of deployment and maintenance we have kept the same variables.

If you have a single management group

  • Choose the value of Enterprise Scale Company Management Group to the pseudo root management group id, also called the “Intermediate Root Management Group”.
  • Choose the value of Identity Management Group to the pseudo root management group id, also called the “Intermediate Root Management Group”.
  • Choose the value of Management Management Group to the pseudo root management group id, also called the “Intermediate Root Management Group”.
  • Choose the value of Connectivity Management Group to the pseudo root management group id, also called the “Intermediate Root Management Group”.
  • Choose the value of Landing Zone Management Group to the pseudo root management group id, also called the “Intermediate Root Management Group”.
For ease of deployment and maintenance we have kept the same variables.
  • Change the value of Enable AMBA Hybrid VM to Yes This initiative deploys Azure Monitor Baseline Alerts to monitor Azure Arc-enabled Servers.
  • Change the value of Enable AMBA Key Management to Yes This initiative deploys Azure Monitor Baseline Alerts to monitor Key Management Services such as Azure Key Vault, and Managed HSM.
  • Change the value of Enable AMBA Load Balancing to Yes This initiative deploys Azure Monitor Baseline Alerts to monitor Load Balancing Services such as Load Balancer, Application Gateway, Traffic Manager, and Azure Front Door.
  • Change the value of Enable AMBA Network Changes to Yes This initiative implements Azure Monitor Baseline Alerts to monitor alterations in Network Routing and Security, such as modifications to Route Tables and the removal of Network Security Groups.
  • Change the value of Enable AMBA Recovery Services to Yes This initiative deploys Azure Monitor Baseline Alerts to monitor Recovery Services such as Azure Backup, and Azure Site Recovery.
  • Change the value of Enable AMBA Storage to Yes This initiative deploys Azure Monitor Baseline Alerts to monitor Storage Services such as Storage accounts.
  • Change the value of Enable AMBA VM to Yes This initiative deploys Azure Monitor Baseline Alerts to monitor Azure Virtual Machines.
  • Change the value of Enable AMBA Web to Yes This initiative deploys Azure Monitor Baseline Alerts to monitor Web Services such as App Services.
  • Change the value of Enable AMBA notification assets to Yes In this scenario, the deployment will Deploy notification assets for Service Health alerts and wide notifications.
  • Change the value of Enable AMBA Service Health to Yes In this scenario, the deployment will assign the Service Health Policy Set Definition.

Notification Settings Blade

Notification Settings Blade

While it’s technically possible to not add any notification information (no email, no ARM Role, no Logic App, etc.) it is strongly recommended to configure at least one option.

  • Change values on the Notification Settings Blade blade to the instructions below:

    • Change the value of Bring Your Own Notifications (BYON) to Yes if you wish to use existing Action Groups and Alert Processing Rule. The BYON feature works by setting the necessary parameter values before running the ALZ pattern deployment. Customers have the choice to either specify one or more existing AGs and one APR or to enter target values so the AG and the APR will be created using the actions specified in the parameter file (including the option to not specify any value and creating an empty AG).

    • Change the value of Email contact for action group notifications to the email address(es) where notifications of the alerts (including Service Health alerts) are sent to. Leave the value blank if no email notification is used.

    • Change the value of Webhook Service Uri to the URI(s) to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Webhook is used.

    • Choose the value of Arm Role Id to the Azure Resource Manager Role(s) where notifications of the alerts (including Service Health alerts) are sent to. Leave the value blank if no Azure Resource Manager Role notification is required.

    • Change the value of Logicapp Resource Id to the Logic app resource id to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Logic app is used.

    • Change the value of Logicapp Callback Url to the Logic app callback url of the Logic app you want to use as action for the alerts (including Service Health alerts). Leave the value blank if no Logic app is used. To retrieve the callback url you can either use the Get-AzLogicAppTriggerCallbackUrl PowerShell command or navigate to the Logic app in the Azure portal, go to Logic app designer, expand the trigger activity (When an HTTP request is received) and copy the value in the URL field using the 2-sheets icon.

      Get Logic app callback url

    • Change the value of Event Hub Resource Id to the Event Hubs to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Event Hubs is used.

    • Change the value of Function Resource Id to the Function resource id to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Function is used.

    • Change the value of Function Trigger Url to the Function App trigger url of the function to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Function is used. To retrieve the Function App trigger url with the corresponding code, navigate to the HTTP-triggered functions in the Azure portal, go to Code + Test, select Get function URL from the menu top menu and copy the value in the URL field using the 2-sheets icon.

      Get function URL

    It is possible use multiple email addresses, as well as multiple Arm Roles, Webhooks or Event Hubs (not recommended as per ALZ guidance). Should you set multiple entries, make sure they are entered as an array. Example:

    ["action1@contoso.com","action2@contoso.com","action3@contoso.com"]

    ["https://webhookUri1.webhook.com","http://webhookUri2.webhook.com"]

Next steps

To remediate non-compliant policies, continue with Policy remediation