Azure Network Watcher
An Azure service that is used to monitor, diagnose, and gain insights into network performance and health.
Guidance needed to comply with Defender network security group flow log policy.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 19%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAJ%3C/text%3E%3C/svg%3E)
Ashutosh Jadhav
0
Reputation points
I am working on implementing the Azure Defender compliance policy: “Flow logs should be configured for every network security group.”
This policy requires enabling flow logs for all Network Security Groups (NSGs). However, I am facing an issue where the option to select Flow log type: Network security group is disabled by default, as indicated by the notification provided in the Azure portal.
How can I achieve compliance with this policy? We need to meet this requirement as part of our Azure SOC 2 2023 compliance efforts.
Thanks,
Ashutosh
Azure Network Watcher
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 36%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Shree Hima Bindu Maganti 5,805 Reputation points Microsoft External Staff Moderator2025-10-20T16:15:45.39+00:00 Hi @Ashutosh Jadhav
It looks like you're working toward compliance with the Azure Defender policy for NSG flow logs, but the flow log option is currently disabled.Make sure the Microsoft.Insights resource provider is registered in your subscription. If it’s not, register it by following the instructions here.
Use Azure Policy to set up NSG flow logs:
Sign in to the Azure portal and search for Policy.
Go to Assignments and select Assign policy.
Choose the correct Scope (subscription or resource group).
Under Policy definition, search for "flow log" and pick the policy named Flow logs should be configured for every network security group.
After assigning the policy, check the Compliance section to see if your NSGs are compliant. It may take a few minutes for the policy to evaluate and apply the flow logs.
Ensure the storage account for flow logs is in the same region as your NSG. If storage access keys have changed, try disabling and re-enabling flow logs.
Flow logs may not work if there are network issues or if VMs are inactive. Make sure VMs are running and check for any blockers, such as App Gateways or firewalls.
For more details on managing NSG flow logs with Azure Policy, official documentation.
Let me know if you have any further assistances needed. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 22%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
Thanmayi Godithi 1,635 Reputation points Microsoft External Staff Moderator2025-10-21T06:13:38.9166667+00:00 Hi @Ashutosh Jadhav,
As per the official Azure documentation, Network Security Group (NSG) flow logs are being retired, you won’t be able to create new NSG flow logs after June 30, 2025, and existing ones will be retired by September 30, 2027. You’re advised to migrate to Virtual Network Flow Logs, which are the replacement and address the limitations of NSG flow logs.
Reference: https://free.blessedness.top/en-us/azure/network-watcher/nsg-flow-logs-migrate
Please go ahead and create Virtual Network Flow Logs to stay compliant with the latest standards. If you still face issues regarding the Defender compliance policy after this change, kindly let us know we’ll check further with the compliance team.
Thanks,
Thanmayi
-
Ashutosh Jadhav 0 Reputation points
2025-10-21T09:07:12.2966667+00:00 Hi @Thanmayi Godithi
Thanks for the reply. I have already created the Virtual Network Flow Logs for all of the Vnets but it still shows non compliance for “Flow logs should be configured for every network security group” policy. How can I exempt or get compliant with this policy.**
**
Thanks**,**Ashutosh
-
Thanmayi Godithi 1,635 Reputation points Microsoft External Staff Moderator
2025-10-23T02:18:36.94+00:00 Hi @Ashutosh Jadhav,
Thank you for sharing the details. Could you please share the below details via "Private message" option.
Email ID:
Time zone:
Subscription ID:
Tenand ID:
Thanks
Sign in to comment
Sign in to answer