Error while running Account baseline pipeline in DevOps. When executing powershell script that automatically sets the ActivityLog, an error occurs only on some subscriptions. Please help me how to solve the error below.
Error Message : Inner Errors: {'code': 'RequestDisallowedByPolicy', 'target': 'ActivityLogs', 'message': 'Resource 'ActivityLogs' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Deny modification of diagnostic settings in the activity log", "id":"/providers/Microsoft.Management/managementGroups/SKT/providers/Microsoft.Authorization/policyAssignments/PA_201027_C_005"}, "policyDefinition":{"name":"Deny modification of diagnostic settings in the activity log", "id":"/providers/Microsoft.Management/managementGroups/SKT/providers/Microsoft.Authorization/policyDefinitions/ff8f7238-2c3c-549f-9613-fcf1b62962a0"}}]'.', 'additionalInfo': [{'type': 'PolicyViolation', 'info': {'policyDefinitionDisplayName': 'Deny modification of diagnostic settings in the activity log', 'evaluationDetails': {'evaluatedExpressions': [{'result': 'True', 'expressionKind': 'Field', 'expression': 'type', 'path': 'type', 'expressionValue': 'Microsoft.Insights/diagnosticSettings', 'targetValue': 'Microsoft.Insights/diagnosticSettings', 'operator': 'Equals'}, {'result': 'True', 'expressionKind': 'Count', 'expression': 'Microsoft.Insights/diagnosticSettings/logs[]', 'path': 'properties.logs[]', 'expressionValue': 8, 'targetValue': 1, 'operator': 'GreaterOrEquals'}, {'result': 'True', 'expressionKind': 'Field', 'expression': 'Microsoft.Insights/diagnosticSettings/storageAccountId', 'path': 'properties.storageAccountId', 'expressionValue': '',
Activity Log -> Validate Deployment -> "Json" contents
"correlationId": "619c8334-8463-4a8f-8c2a-e28b405d720e", "description": "", "eventDataId": "3502be36-c5e8-404b-947e-f1735debf506", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2022-04-17T09:21:06.2088549Z", "id": "/subscriptions/b0d5568e-1c80-4e83-a021-bc244dc5bd82/providers/Microsoft.Resources/deployments/InitActivityLogSetting_04170921/events/3502be36-c5e8-404b-947e-f1735debf506/ticks/637857840662088549", "level": "Error", "operationId": "619c8334-8463-4a8f-8c2a-e28b405d720e", "operationName": { "value": "Microsoft.Resources/deployments/validate/action", "localizedValue": "Validate Deployment" }, "resourceGroupName": "", "resourceProviderName": { "value": "Microsoft.Resources", "localizedValue": "Microsoft Resources" }, "resourceType": { "value": "Microsoft.Resources/deployments", "localizedValue": "Microsoft.Resources/deployments" }, "resourceId": "/subscriptions/b0d5568e-1c80-4e83-a021-bc244dc5bd82/providers/Microsoft.Resources/deployments/InitActivityLogSetting_04170921", "status": { "value": "Failed", "localizedValue": "Failed" }, "subStatus": { "value": "BadRequest", "localizedValue": "Bad Request (HTTP Status Code: 400)" }, "submissionTimestamp": "2022-04-17T09:22:53.1947302Z", "subscriptionId": "b0d5568e-1c80-4e83-a021-bc244dc5bd82", "tenantId": "b20e9363-6cf4-4366-9b50-cec8054c47af", "properties": { "statusCode": "BadRequest", "serviceRequestId": null, "statusMessage": "{"error":{"code":"InvalidTemplateDeployment","message":"The template deployment failed because of policy violation. Please see details for more information.","details":[{"code":"RequestDisallowedByPolicy","target":"ActivityLogs","message":"Resource 'ActivityLogs' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Deny modification of diagnostic settings in the activity log\",\"id\":\"/providers/Microsoft.Management/managementGroups/SKT/providers/Microsoft.Authorization/policyAssignments/PA_201027_C_005\"},\"policyDefinition\":{\"name\":\"Deny modification of diagnostic settings in the activity log\",\"id\":\"/providers/Microsoft.Management/managementGroups/SKT/providers/Microsoft.Authorization/policyDefinitions/ff8f7238-2c3c-549f-9613-fcf1b62962a0\"}}]'.","additionalInfo":[{"type":"PolicyViolation"}]}]}}", "eventCategory": "Administrative", "entity": "/subscriptions/b0d5568e-1c80-4e83-a021-bc244dc5bd82/providers/Microsoft.Resources/deployments/InitActivityLogSetting_04170921", "message": "Microsoft.Resources/deployments/validate/action", "hierarchy": "b20e9363-6cf4-4366-9b50-cec8054c47af/SKT/LZ_Divisions/devsecops_ID/b0d5568e-1c80-4e83-a021-bc244dc5bd82" }, "relatedEvents": [] }
It looks like you have an Azure Policy assigned that is blocking modifications of Activity logs. If you have permissions, you can look at the policy definitions in your subscription and add an exception for what you are trying to do. If you are not the admin of your subscription, you will need to contact them to add the exception or remove the policy.
Policy Overview
https://learn.microsoft.com/en-us/azure/governance/policy/overview
Policy Exceptions
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/exemption-structure