Day 544. When querying #Azure Log Analytics logs over the Azure CLI, if you use the workspace name the CLI will tell you "PathNotFound" which is not really helpful. You need to use the workspace ID instead of the workspace name, which of course is a totally different thing.

Day 543. The reason why the shit from day 541 (a Key Vault resource without the "audit" log category group) breaks the the built-in #Azure Policy provided by #Microsoft is that it by design always tries to deploy a diagnostic setting for all log category groups and then sets them to enabled or disabled based on parameters you supply. If one of these disabled categories doesn't exist, the deployment always fails.

Day 542. The shit from day 541 even breaks #Microsoft's own built-in #Azure Policies. When deploying a Key Vault in Denmark East and using the built-in policy to automatically deploy diagnostic settings, the policy evaluation will simply fail because the "audit" log category group does not exist, even when you want to enable a different category group. You cannot use this policy with Key Vaults in Denmark East.

Day 541. While we already know that log category groups can differ from service to service, this is the first time we have seen different category groups within one service. In this example, we found that #Azure Key Vaults in Denmark East do not have the "audit" log category group while it exists in other regions. Both of these Key Vaults have been created at the same time, so this is not about age of the resource.

Day 540. Continuing the shit from day 539, Azure CLI not being able to show built-in Azure Policy definitions has been a known issue for years. Instead of fixing it, #Microsoft support simply closed the issue and called it a day.

Day 539. When trying to query a built-in #Azure Policy definition using the Azure CLI, the CLI will first tell you to supply a "--policy" argument and then tell you that there is no such argument.

Day 538. To work around the shit from day 537, to log into a specific #Azure tenant in the Azure Portal without triggering any MFA flows for other directories, you can hotlink a tenant like this: "portal.azure.com/<tenantId>"

Day 537. The #Azure Portal setting for startup directory applies to your whole Microsoft Account and not just the browser you are currently in. Which is kind of stupid, because if you have multiple browsers set up for multiple Azure tenants, Azure will per default always log you into the same Azure tenant, regardless of your work environment.

Day 536. In case you are wondering, the terms "Azure tenant" and "Azure directory" largely refer to the same thing and are most often used interchangebly. They even always have the same UUID. According to #Microsoft support, there apparently is some distinction on a technical level though. Why does it always have to be this complicated?

Day 535. Once you have associated a custom route table to your #Azure Kubernetes Cluster, you are not allowed to change that route table. That seems to be a completely arbitrary limitation since you are allowed to change all custom routes, just not the name of the route table. And while they also state it in the docs, it doesn't get explained. Want to use a new route table for your cluster? Easy, deploy a new cluster.