Currently I am involved in writing Bicep code to deploy monitoring. This includes monitoring Azure AD. As there are very few examples how you can actually send Azure AD logs to a Log Analytics with code, I’m sharing an example in Bicep. (Here is an ARM template by Kristian Nese.)

Make sure the service account has, apart from Azure RBAC permissions to deploy to Azure, also Azure AD permissions. Security Administrator or Global Administrators have permissions to set AAD Diagnostic settings.

This example enables sending all currently available Azure AD logs to a Log Analytics Workspace. If you need less logs, delete the category from the variable. The workspace ID is referenced by, as in my code there is a workspace deployed with a Bicep resource called LAW.

Note: As the Azure AD Diagnostic Logs setting is a tenant wide setting, the template has a scope: tenant() added.