1. Proposed title of this feature request

Enabling diagnostic settings on ARO managed storage accounts and network security group

2. What is the nature and description of the request?

At the moment the generated ARO storage accounts (cluster*** and imageregistry***), all underlying file, blob, queue and table services, as well as the ARO cluster associated network security group (<cluster-name>-nsg) cannot be configured for forwarding of log/metric information to log analytics using "Diagnostic settings" because of a 'Deny assignment' on all ARO cluster related resources in Azure.

3. Why does the customer need this? (List the business requirements here)

The customer has an internal security policies to forward all metrics and logs to the Log Analytics workspace in Azure and wants to be compliant with the best practices on security related matters within Azure.

4. List any affected packages or components.
Storage accounts and NSGs within ARO resource group