Day 543. The reason why the shit from day 541 (a Key Vault resource without the "audit" log category group) breaks the the built-in #Azure Policy provided by #Microsoft is that it by design always tries to deploy a diagnostic setting for all log category groups and then sets them to enabled or disabled based on parameters you supply. If one of these disabled categories doesn't exist, the deployment always fails.