MT.1100 - Intune Audit Logs should be retained
Overviewβ
This test checks for the existence of Intune Diagnostic settings collecting Intune Audit Logs.
Test Prerequisitesβ
For this test to run, the executing principal must have permissions to read Intune diagnostic settings in Azure (microsoft.intune/diagnosticSettings/read action). This typically requires at least the 'Monitoring Reader' or 'Reader' Azure role assigned at the subscription level (for example, with scope /subscriptions/$SubscriptionId), which provides access to the provider-level Intune diagnostic settings.
Alternatively, you can create a custom RBAC role with the following snippet:
# Get the subscription ID and user ID from the current context. Change if necessary.
$SubscriptionId = "$((Get-AzContext).Subscription.Id)"
$UserId = (Get-AzADUser -UserPrincipalName (Get-AzContext).Account.Id).Id
$CustomRole = @{
Name = 'Intune Diagnostic Settings Reader'
Description = 'Can read Intune diagnostic settings only'
Actions = @('microsoft.intune/diagnosticSettings/read')
NotActions = @()
AssignableScopes = @("/subscriptions/$SubscriptionId")
}
New-AzRoleDefinition -Role $CustomRole
# Assign the custom role at subscription level
New-AzRoleAssignment -ObjectId $UserId -RoleDefinitionName 'Intune Diagnostic Settings Reader' -Scope "/subscriptions/$SubscriptionId"
Remediation actionβ
-
Check the following Microsoft learn article to Send Intune log data to Azure Storage, Event Hubs, or Log Analytics.
-
Existing diagnostic settings can be viewed within the Intune Diagnostics settings blade.
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1100 |
| Severity | High |
| Suite | Maester |
| Category | Intune |
| PowerShell test | Test-MtIntuneDiagnosticSettings |
| Tags | Intune, Maester, MT.1100 |
Sourceβ
- Pester test:
tests/Maester/Intune/Test-MtIntunePlatform.Tests.ps1 - PowerShell source:
powershell/public/maester/intune/Test-MtIntuneDiagnosticSettings.ps1