Details of the scenario you tried and the problem that is occurring
When the Audit diagnostic setting for selected resource types is assigned in a scope that contains a resource of the type microsoft.network/networkinterfaces, a private endpoint in our case, then the policy will flag these resources as Non-Complaint. The policy checks for the existence of the field Microsoft.Insights/diagnosticSettings/logs.enabled with a value of true.
However the Microsoft.Insights/diagnosticSettings for a microsoft.network/networkinterfaces is different from most resource types. Below is the difference:
Details of the scenario you tried and the problem that is occurring
When the
Audit diagnostic setting for selected resource types
is assigned in a scope that contains a resource of the typemicrosoft.network/networkinterfaces
, a private endpoint in our case, then the policy will flag these resources asNon-Complaint
. The policy checks for the existence of the fieldMicrosoft.Insights/diagnosticSettings/logs.enabled
with a value oftrue
.However the
Microsoft.Insights/diagnosticSettings
for amicrosoft.network/networkinterfaces
is different from most resource types. Below is the difference:Because
logs
is an empty array, it does not containenabled: true
and this the policy flags this resource asNon-Compliant
Verbose logs showing the problem
N/A
Suggested solution to the issue
Do not check
logs.enabled
formicrosoft.network/networkinterfaces
.If policy is Guest Configuration - details about target node
N/A