![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 53%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 25%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hi, if you want to block or audit diagnostic settings on AKS clusters that send logs to disallowed storage accounts, the recommended method is to target the diagnostic setting resource directly, not the AKS cluster.
Because diagnostic settings are extension resources nested under AKS (e.g., /managedClusters/<name>/providers/Microsoft.Insights/diagnosticSettings/<setting>), and Azure Policy can evaluate them only if your rule explicitly scopes to Microsoft.Insights/diagnosticSettings and uses contains(field('id'), '/managedClusters/') to catch only the ones tied to AKS.
From there, you check the destination using the alias Microsoft.Insights/diagnosticSettings/storageAccountId. This lets you write a clean Deny policy that blocks settings pointing to specific storage accounts.
You can also clone it with effect: Audit if you prefer to just monitor violations.
Note: AuditIfNotExists doesn’t work well here, it evaluates at the AKS level and can’t “see” child diagnostic settings. That's why Microsoft recommends scoping the policy directly to the extension resource, which avoids alias limitations.