Azure Custom Template Deployment
Last updated - 29 October, 2025
Azure custom templates are JSON files that define resources you want to deploy in Microsoft Azure. It is a faster way to consistently create VMs, storage accounts, or networking components instead of manually selecting options in the Azure portal. Azure custom templates are required to deploy the necessary resources (such as Azure Functions and Event Hubs) that listen for logs from sources such as Okta.
Custom templates may also be required for deployments that require custom data that is not currently supported by connectors. For example, Sentinel by Microsoft supports Okta log ingestion, but only for Okta System logs. If your deployments needs other types of data from Okta, or want to filter which logs are ingested from Okta, you must deploy a custom Azure template.
Requirements for Deploying the Azure Template
To deploy the Azure Function and Event Hub, you need the following:
- An Azure Cloud Account created in your LogicMonitor portal. For more information, see Adding Microsoft Azure Cloud Monitoring
- LogicMonitor API tokens to authenticate all requests to the log ingestion API. For more information, see Adding an API Token
- The Azure CLI tools installed on the machines that forward logs. For more information, see How to install the Azure CLI from Microsoft
- A User Administrator role in Azure to create the managed identity which access the Azure resources logs
Note: Azure devices can only send logs to the Event Hubs within the same region. Each Azure region requires a separate Azure Function deployment.
Deploying the Azure Template
- Use your Azure cloud account to deploy a custom template. For detailed instructions, see Deploy Resources from Custom Template from Microsoft.
- On the Edit Template page, provide the following parameters:
| Parameter | Description | Required |
| Region | The location to store the deployment metadata. Predefined in Azure but you can change the value. For a list of Azure regions by their display names, see Azure geographies from Microsoft. | Yes |
| resource_group_region | Enter the region where you want to create the resource group and deploy resources (such as Event Hub and Function App). For a list of the Azure regions in plain text, run the following command from PowerShell with the Azure CLI tools installed: az account list-locations -o table | Yes |
| LM_Company_name | Your LogicMonitor company or account name in the target URL. This is only the <account> value, not the fully qualified domain name (FQDN). Example: https://<account>.logicmonitor.com | Yes |
| LM_Domain_Name | The domain of your LM portal. By default, it is set to "logicmonitor.com". The supported domains for this variable are as follows:– lmgov.us– qa-lmgov.us– logicmonitor.com | Yes |
| LM_Access_Id | The LM API tokens access ID. You should use an API-only user for this integration. | Yes |
| LM_Access_Key | The LM API tokens access key. | Yes |
| Azure_Client_Id | The Application (client) ID used while creating the Azure Cloud Account in your LogicMonitor portal. Note: This ID should have been created when you connected the Azure Cloud Account. The ID can be found in the Azure Active Directory under App Registrations. | Yes |
Enable Activity Logs | Specify whether or not to send Activity Logs to the Event Hub created with the Azure Function. Can be “Yes” (default) or “No”. | No |
Azure_Account_Name | Use this field to establish mapping between the Azure account logs and the Cloud account resource. The Azure Account name can be retrieved from the system.displayname field in the Cloud Account Info tab. | No |
LM_Bearer_Token | LM API Bearer Token. You can use both access_id and access_key, or just bearer_token. If all the parameters are provided, LMv1 token ( access_id and access_key) is used for authentication with LogicMonitor. | No |
Include_Metadata_keys | Comma separated keys to add as event metadata in a lm-log event. Specify ‘.’ for nested JSON (for example – properties.functionName,properties.message) | No |
| LM Tenant Id | LogicMonitor Tenant Identifier is sent as event metadata to LogicMonitor. | No |
TLSVersionStorageAccount (TLS Version Storage Account) | Specify the TLS version for storage account in the format x_x. Example 1.2 is provided as 1_2. The default is 1_2. | Yes |
TLSVersionFunctionApp (TLS Version Function App) | Specify the TLS version for function app in the format X.X. The default is 1.3. | Yes |
See the following for an example of JSON code used in an Azure custom template with sample parameters:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"sourceCodeBranch": "master",
"templateBaseUri": "[concat('https://raw.githubusercontent.com/logicmonitor/lm-logs-azure/',variables('sourceCodeBranch'),'/arm-template-deployment/')]",
"deploymentResourceGroupName": "[concat('lm-logs','-',parameters('LM_Company_Name'), '-', replace(parameters('Resource_Group_Region'),' ',''),'-group')]",
"eventhubNamespace": "[concat('lm-logs','-',parameters('LM_Company_Name'), '-', replace(parameters('Resource_Group_Region'),' ',''))]",
"eventhubLogsName": "log-hub",
"subscriptionId": "[subscription().subscriptionId]",
"eventHubAuthorizationRuleId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('deploymentResourceGroupName'), '/providers/Microsoft.EventHub/namespaces/', variables('eventhubNamespace'), '/authorizationRules/RootManageSharedAccessKey')]"
},
"parameters": {
"Resource_Group_Region": {
"type": "String"
},
"LM_Company_Name": {
"type": "String"
},
"LM_Domain_Name": {
"type": "string",
"defaultValue": "logicmonitor.com",
"allowedValues": [
"logicmonitor.com",
"lmgov.us",
"qa-lmgov.us"
],
"metadata": {
"description": "Domain of LM Platform where logs are to be sent."
}
},
"LM_Access_Id": {
"type": "String",
"defaultValue": "",
"metadata": {
"description": "LogicMonitor API Token access ID."
}
},
"LM_Access_Key": {
"type": "String",
"defaultValue": "",
"metadata": {
"description": "LogicMonitor API Token access Key."
}
},
"LM_Bearer_Token": {
"type": "String",
"defaultValue": "",
"metadata": {
"description": "LM API Bearer Token.\nEither specify access_id and access_key both or bearer_token. If all specified, LMv1 token(access_id and access_key) will be used for authentication with LogicMonitor."
}
},
"Azure_Client_Id": {
"type": "string",
"metadata": {
"description": "Application Client Id provided during the creation of azure account in LM"
}
},
"Azure_Account_Name": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Azure Account Name created during the creation of azure account in LM"
}
},
"Include_Metadata_keys": {
"type": "string",
"defaultValue": "resourceId",
"metadata": {
"description": "comma separated keys to add as event metadata in a lm-log event. for nested json specify '.' eg - properties.functionName,properties.message "
}
},
"LM_Tenant_Id": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "LogicMonitor Tenant Identifier sent as event metadata to LogicMonitor"
}
},
"Enable_Activity_Logs": {
"type": "String",
"allowedValues": [
"Yes",
"No"
],
"metadata": {
"description": "Enable Activity logs to be sent to the event hub that will get created in this deployment"
},
"defaultValue": "Yes"
},
"TLSVersionStorageAccount": {
"type": "string",
"defaultValue": "1_2",
"metadata": {
"description": "Provide an appropriate TLS version for storage account. Format - X_X"
}
},
"TLSVersionFunctionApp": {
"type": "string",
"defaultValue": "1.3",
"metadata": {
"description": "Provide an appropriate TLS version for function app. Format - X.X"
}
}
},
"resources": [
{
"condition": "[or(and(not(empty(parameters('LM_Access_Id'))), not(empty(parameters('LM_Access_Key')))), not(empty(parameters('LM_Bearer_Token'))))]",
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2018-05-01",
"location": "[parameters('Resource_Group_Region')]",
"name": "[variables('deploymentResourceGroupName')]",
"properties": {}
},
{
"apiVersion": "2017-05-10",
"name": "linkedTemplatedeployment",
"type": "Microsoft.Resources/deployments",
"resourceGroup": "[variables('deploymentResourceGroupName')]",
"comments": "Deploy resources within the group",
"properties": {
"mode": "Incremental",
"templateLink": {
"uri": "[concat(variables('templateBaseUri'), 'deployResourcesInRG.json')]",
"contentVersion": "1.0.0.0"
},
"parameters": {
"Location": {
"value": "[parameters('Region')]"
},
"Azure_Region": {
"value": "[parameters('Resource_Group_Region')]"
},
"LM_Company_Name": {
"value": "[parameters('LM_Company_Name')]"
},
"LM_Domain_Name": {
"value": "[parameters('LM_Domain_Name')]"
},
"LM_Access_Id": {
"value": "[parameters('LM_Access_Id')]"
},
"LM_Access_Key": {
"value": "[parameters('LM_Access_Key')]"
},
"LM_Bearer_Token": {
"value": "[parameters('LM_Bearer_Token')]"
},
"Azure_Client_Id": {
"value": "[parameters('Azure_Client_Id')]"
},
"Azure_Account_Name": {
"value": "[parameters('Azure_Account_Name')]"
},
"sourceCodeBranch": {
"value": "[variables('sourceCodeBranch')]"
},
"Include_Metadata_keys": {
"value": "[parameters('Include_Metadata_keys')]"
},
"LM_Tenant_Id" : {
"value": "[parameters('LM_Tenant_Id')]"
},
"TLSVersionStorageAccount": {
"value": "[parameters('TLSVersionStorageAccount')]"
},
"TLSVersionFunctionApp": {
"value": "[parameters('TLSVersionFunctionApp')]"
}
}
},
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', variables('deploymentResourceGroupName'))]"
]
},
{
"condition": "[equals(parameters('Enable_Activity_Logs'), 'Yes')]",
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "[variables('deploymentResourceGroupName')]",
"properties": {
"eventHubAuthorizationRuleId": "[variables('eventHubAuthorizationRuleId')]",
"eventHubName": "[variables('eventhubLogsName')]",
"logs": [
{
"category": "Administrative",
"enabled": true
},
{
"category": "Security",
"enabled": true
},
{
"category": "ServiceHealth",
"enabled": true
},
{
"category": "Alert",
"enabled": true
},
{
"category": "Recommendation",
"enabled": true
},
{
"category": "Policy",
"enabled": true
},
{
"category": "Autoscale",
"enabled": true
},
{
"category": "ResourceHealth",
"enabled": true
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Resources/resourceGroups/', variables('deploymentResourceGroupName'))]",
"linkedTemplatedeployment"
]
}
],
"outputs": {}
}