How to Fix Azure Monitor Setup and Configuration Issues
Why Azure Monitor Issues Are So Common (And Why the Error Messages Don't Help)
You opened the Azure portal, navigated to Azure Monitor, and... nothing. Your metrics aren't showing up. Your Log Analytics workspace is sitting there empty. Or maybe your alerts are firing non-stop, or worse, not firing at all when they should. I've seen this exact scenario play out dozens of times across teams of every size , from solo developers running a side project to enterprise teams managing thousands of virtual machines.
Here's the honest truth: Azure Monitor is Microsoft's unified observability platform for collecting, analyzing, and acting on telemetry from cloud and hybrid environments. It's powerful. But "powerful" often means "complicated to configure correctly." The platform brings together metrics, logs, traces, and events into one place , and each of those data types has its own collection path, its own agents, its own workspace requirements. When one piece is misconfigured, everything downstream goes dark.
The most common reasons people end up on a guide like this one:
- No data collection rule (DCR) is attached to the resource. This is the single biggest cause of empty dashboards. Azure Monitor Agent on a VM does nothing useful without a DCR telling it what to collect and where to send it.
- The Azure Monitor Agent isn't installed or is in a failed state. Microsoft deprecated the old MMA (Microsoft Monitoring Agent) and OMS agent in 2024. If you're still referencing those in your documentation or scripts, you'll get zero data.
- Log Analytics workspace and the monitored resource are in different subscriptions or regions without the right cross-workspace configuration. This trips up a lot of people who inherited an Azure environment.
- Diagnostic settings haven't been enabled on the resource. For PaaS services, App Service, SQL Database, Storage Accounts, Azure Monitor doesn't collect detailed logs automatically. You have to turn on diagnostic settings for each resource individually.
- Cost controls are silently dropping data. If you've set a daily data cap on your Log Analytics workspace and it's been hit, new incoming data gets rejected. Your VMs look healthy; your workspace just stopped accepting data hours ago.
- Permissions are wrong. Azure Monitor reads require at least the Monitoring Reader role, and writing to Log Analytics requires Monitoring Contributor. Missing these roles means dashboards load as blank, with no error message telling you why.
I know this is frustrating, especially when your on-call rotation depends on Azure Monitor alerts actually working. The error messages in the portal rarely point you to the real problem. You'll stare at "No data available" with no indication of whether data isn't being collected, isn't being stored, or isn't being queried correctly. This guide walks you through every layer so you can pinpoint exactly where your Azure Monitor setup is broken.
The Quick Fix for Azure Monitor, Try This First
Before you go through a full diagnostic, run this mental checklist. In my experience, about 70% of Azure Monitor configuration issues come down to one of three things: no DCR, no agent, or diagnostic settings not enabled. Let's knock those out fast.
Step 1, Check if Azure Monitor Agent is running on your VM. Go to the Azure portal, open your VM, and navigate to Settings > Extensions + applications. Look for AzureMonitorWindowsAgent or AzureMonitorLinuxAgent in the list. The status should show Provisioning succeeded. If it's missing entirely, or if the status shows a failure, that's your problem right there.
Step 2, Check if a Data Collection Rule is associated with that VM. Go to Azure Monitor > Data Collection Rules from the left sidebar. Find your DCR, open it, click Resources, and verify your VM is listed. No association means no data, it's that simple.
Step 3, For PaaS resources, check Diagnostic Settings. Open the specific resource (e.g., your App Service or Azure SQL instance), scroll down to Monitoring > Diagnostic settings in the left menu. If you see "No diagnostic settings defined," that's why you have no logs. Click + Add diagnostic setting, select the log categories you want, and send them to your Log Analytics workspace.
Step 4, Verify your workspace has data with a quick KQL query. Open Azure Monitor > Logs, select your workspace, and run:
search *
| take 10If this returns results, data is flowing. If it returns nothing, or returns a "No workspace selected" message, the collection pipeline is broken, and you need the step-by-step section below.
Step 5, Check the daily data cap. In your Log Analytics workspace, go to Settings > Usage and estimated costs. Look at the "Daily Cap" setting. If it's enabled and the cap has been reached, you'll see a warning banner. Disable or raise the cap temporarily to restore data flow.
Azure Monitor Log Analytics is the backbone of the whole system. Before you can collect logs or traces from anything, you need a workspace. And it needs to be in the right region, ideally the same region as the resources you're monitoring to avoid cross-region data transfer costs and latency.
To create a workspace: In the Azure portal, search for Log Analytics workspaces in the top search bar, click + Create, select your subscription and resource group, give it a name (keep it descriptive, something like prod-monitoring-eastus-ws), and choose your region. Click Review + Create.
Once created, the first thing to configure is the pricing tier. Go to Settings > Usage and estimated costs > Data retention. The default retention is 30 days. If you need longer for compliance, you can extend it up to 730 days, though costs scale accordingly. For most teams, 90 days is a practical balance.
Now navigate to Settings > Workspace summary and note your Workspace ID and the resource ID. You'll need both when setting up data collection rules and when writing KQL queries that span multiple workspaces.
To verify the workspace is ready to accept data, open Logs from the workspace's left menu and run this query:
Heartbeat
| summarize LastHeartbeat=max(TimeGenerated) by Computer
| where LastHeartbeat > ago(1h)If agents are installed and connected, you'll see a list of machines with their last heartbeat timestamps. If the result is empty, agents either aren't installed or aren't sending data to this specific workspace.
The Azure Monitor Agent (AMA) is what collects data from your virtual machines, on-premises servers, and other infrastructure. The old Log Analytics agent, also called the MMA or OMS agent, has been retired. If you're on the old agent, you need to migrate. This is non-negotiable.
To install AMA from the portal: Open your virtual machine, go to Settings > Extensions + applications > + Add. Search for Azure Monitor Agent, select the Windows or Linux version as appropriate, and click Next > Review + create.
You can also install at scale using Azure Policy. In the portal, go to Policy > Assignments > + Assign policy and search for the built-in policy "Configure Windows virtual machines to run Azure Monitor Agent" or the Linux equivalent. Assign it to your subscription or management group and it will automatically deploy the agent to any VM that's missing it.
For PowerShell deployment on a single VM:
Set-AzVMExtension `
-ResourceGroupName "your-rg" `
-VMName "your-vm" `
-Name "AzureMonitorWindowsAgent" `
-Publisher "Microsoft.Azure.Monitor" `
-ExtensionType "AzureMonitorWindowsAgent" `
-TypeHandlerVersion "1.0" `
-Location "eastus"After installation, wait 5 minutes and then check the agent status. Go to the VM, open Extensions + applications, and look at the status column for the AMA extension. Provisioning succeeded means the agent is installed. But "installed" doesn't mean "collecting data", you still need a data collection rule pointing at this machine.
If the extension shows a failure, check the agent logs at C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Monitor.AzureMonitorWindowsAgent\ on Windows, or at /var/log/azure/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent/ on Linux.
This is the step that most guides skip over too quickly, and it's where most Azure Monitor setups break down. A Data Collection Rule defines what data to collect, from where, and where to send it. Without a DCR associated with your VM, the Azure Monitor Agent just sits there doing nothing.
To create a DCR: In the Azure portal, go to Azure Monitor > Data Collection Rules > + Create. Choose a name, subscription, resource group, and region. Under Platform Type, choose Windows, Linux, or Custom depending on your target.
On the Resources tab, click + Add resources and select the VMs or VM Scale Sets you want to monitor. This is the association step, think of it as telling the DCR which agents to push instructions to.
On the Collect and deliver tab, click + Add data source. You'll see options including:
- Performance counters, CPU, memory, disk, network metrics at configurable intervals
- Windows Event Logs, System, Application, Security event channels
- Syslog, For Linux hosts
- Custom logs, For text log files on disk
Select your data source, configure it (for Windows Event Logs, I recommend at minimum: Application/Error, System/Error, System/Critical, and Security/Audit Failure), then set the Destination to your Log Analytics workspace.
After saving, check data flow within 15 minutes by running this KQL in your workspace:
Event
| where TimeGenerated > ago(30m)
| summarize count() by Computer, EventLevelName
| order by count_ descIf Windows event data appears, your DCR is working. For performance counters, query the Perf table instead.
Here's something that catches a lot of people off guard: Azure Monitor Agent handles your VMs. But for managed Azure services, App Service, Azure SQL, Storage Accounts, Key Vault, Azure Kubernetes Service, and dozens more, you need Diagnostic Settings instead. These are separate from DCRs and the AMA.
To enable diagnostic settings for any Azure resource: Open the resource in the portal, scroll down in the left navigation to Monitoring > Diagnostic settings. Click + Add diagnostic setting.
You'll see a list of available log categories and metric groups specific to that resource type. For an App Service, for example, you'll see categories like AppServiceHTTPLogs, AppServiceConsoleLogs, AppServiceAppLogs, and AppServiceAuditLogs. For Azure SQL, you'll see SQLInsights, AutomaticTuning, QueryStoreRuntimeStatistics, and more.
Select the log categories relevant to your use case, then under Destination details, check Send to Log Analytics workspace and select your workspace. Click Save.
At scale, you can enforce diagnostic settings across all resources using an Azure Policy initiative. The built-in "Deploy Diagnostic Settings for Azure Services" policy initiative covers most resource types. To check which resources in your subscription are missing diagnostic settings, run this Azure CLI command:
az monitor diagnostic-settings list \
--resource "/subscriptions/{subscription-id}/resourceGroups/{rg}/providers/Microsoft.Web/sites/{app-name}" \
--query "[].{name:name, logs:logs[?enabled==\`true\`].category}" \
--output tableGive it 10–20 minutes after saving for logs to start appearing in your workspace. Then query the specific table for your resource type, for App Service HTTP logs it's AppServiceHTTPLogs, for Key Vault it's AzureDiagnostics filtered by ResourceType == "VAULTS".
Getting data into Azure Monitor is only half the story. The other half is making that data actionable, and that means setting up alerts that notify you before problems affect your users. I've seen alert configurations that look correct but never fire, and others that generate hundreds of notifications per hour. Let me show you how to get this right.
In the portal, go to Azure Monitor > Alerts > + Create > Alert rule. The workflow has five sections: Scope, Condition, Actions, Details, and Tags.
Under Scope, select the resource or resource group you want to monitor. Under Condition, you choose the signal type. You have three main options:
- Metrics, Near-real-time, evaluated every 1–5 minutes. Best for CPU, memory, response time thresholds.
- Log search (KQL), Runs a KQL query against your Log Analytics workspace on a schedule. Best for complex conditions spanning multiple tables.
- Activity log, Fires on administrative events like resource deletion or policy assignment changes.
For a practical example, here's a KQL-based alert for detecting VM restarts in the last hour:
Event
| where EventLog == "System"
| where EventID in (41, 1074, 6006, 6008)
| where TimeGenerated > ago(1h)
| project TimeGenerated, Computer, EventID, RenderedDescriptionSet the alert logic to fire when the number of results is greater than 0, with a 5-minute evaluation frequency and a 1-hour lookback window.
For the Actions section, you need an Action Group. Click + Create action group, give it a name, and add at least one notification (email or SMS) and consider adding an Azure Function or webhook for automated remediation. This is where AIOps capabilities come in, Azure Monitor's smart alert features can use dynamic thresholds that learn from your metrics' baseline behavior, which dramatically reduces false positives compared to static thresholds.
After creating the alert, wait one full evaluation cycle and then check Azure Monitor > Alerts > Alert rules. The Last fired column shows the most recent trigger. If an alert looks correct but hasn't fired when it should have, check the Monitor condition column, "Fired" means the condition is currently true, "Resolved" means it was true but isn't now, and "Not yet evaluated" means something is wrong with the query or scope definition.
Advanced Azure Monitor Troubleshooting
If the steps above didn't resolve your issue, you're dealing with one of the edge cases. Here's how to work through the harder problems.
Analyzing Azure Monitor Agent Failures with Event Viewer
On a Windows VM where the AMA is installed but not sending data, open Event Viewer, navigate to Applications and Services Logs > Microsoft > AzureMonitor > AMCS. Look for Event IDs in the 2000–3000 range. Event ID 2100 indicates a successful DCR download. Event ID 2002 or 3010 typically indicates a connectivity or authentication failure, usually a missing managed identity or a network security group blocking outbound traffic on port 443 to *.monitor.azure.com.
The AMA requires the VM's system-assigned managed identity to have the Monitoring Metrics Publisher role on the Data Collection Rule resource, and the Log Analytics Contributor role on the destination workspace. If either is missing, data collection silently fails. Check these role assignments under the DCR's Access control (IAM) blade.
Debugging KQL Queries That Return No Data
When a KQL query in Log Analytics returns no results, start broad and narrow down:
-- First, check what tables have data
search *
| summarize count() by $table
| order by count_ descThis tells you exactly which tables are populated in your workspace. If your expected table (like Syslog or SecurityEvent) isn't in the list, data isn't reaching that table, go back and check your DCR configuration.
Prometheus Metrics and Azure Monitor Workspace
If you're running Kubernetes and relying on Prometheus metrics, note that these go to an Azure Monitor workspace, which is a different resource from a Log Analytics workspace. These metrics use PromQL, not KQL. The common mistake is querying Prometheus metrics in Log Analytics and getting nothing back. To analyze Prometheus metrics, go to Azure Monitor > Metrics, select your Azure Monitor workspace as the scope, and switch to PromQL mode. Or connect a Grafana instance, Azure Monitor has native integration that lets you query both KQL and PromQL from the same Grafana dashboard.
Cross-Subscription and Hybrid Scenarios
In enterprise environments with multiple subscriptions, you often need a central Log Analytics workspace that aggregates data from VMs across different subscriptions. This works, but the DCR and the workspace must allow it. The VM's managed identity needs the Monitoring Metrics Publisher role on the DCR in the monitoring subscription, and the workspace must have appropriate access policies. For on-premises or other-cloud VMs, onboard them through Azure Arc first, this gives them a managed identity and makes them visible as Azure resources, at which point standard DCR assignment works identically.
Application Insights Not Showing Data
Application Insights is an OpenTelemetry-based feature within Azure Monitor. If your web app's Application Insights resource is empty, first check whether auto-instrumentation is enabled. For Azure App Service, go to Settings > Application Insights and confirm the toggle shows Enabled with your AI resource selected. For custom apps, confirm the connection string is set, not the old instrumentation key (deprecated) but the full APPLICATIONINSIGHTS_CONNECTION_STRING environment variable. The connection string format is: InstrumentationKey=xxx;IngestionEndpoint=https://...;LiveEndpoint=https://....
If you've verified agent installation, DCR association, role assignments, network connectivity, and diagnostic settings, and data still isn't flowing after 30 minutes, it's time to open a support ticket. Specifically escalate if: your Azure Monitor Agent shows "Provisioning succeeded" but the AMCS event log shows persistent 3010 errors; your Log Analytics workspace is in a "degraded" state visible in the Azure Service Health portal; or your alerts stopped firing after a recent Azure platform update. Open a ticket at Microsoft Support and include your DCR resource ID, workspace ID, and the specific Event IDs from the AMA event log. That information gets you past tier 1 fast.
Prevention & Best Practices for a Solid Azure Monitor Setup
Once you've fixed the immediate issue, here's how to build an Azure Monitor configuration that stays healthy. These aren't theoretical recommendations, they're patterns I've seen separate the teams who catch problems in staging from the teams who learn about outages from their customers.
Treat your DCRs as infrastructure as code. Don't create DCRs manually through the portal and then forget about them. Use ARM templates or Bicep to define your data collection rules alongside the resources they monitor. That way, when a new VM is provisioned, the DCR association is automatic. A basic Bicep module for DCR association looks like this:
resource dcr 'Microsoft.Insights/dataCollectionRules@2022-06-01' existing = {
name: 'prod-dcr-windows'
scope: resourceGroup('monitoring-rg')
}
resource dcraAssociation 'Microsoft.Insights/dataCollectionRuleAssociations@2022-06-01' = {
name: 'configurationAccessEndpoint'
scope: vm
properties: {
dataCollectionRuleId: dcr.id
}
}Set up Azure Monitor health alerts for Azure Monitor itself. Yes, you can monitor the monitor. Create an activity log alert that fires when your Log Analytics workspace ingestion drops below your expected baseline. This catches daily cap hits and workspace outages before your team notices the gap.
Use workbooks for proactive visibility, not just reactive investigation. Azure Monitor Workbooks let you build interactive, parameterized dashboards from KQL queries. Build a workbook that shows agent health, DCR association coverage, and workspace ingestion rate across all your subscriptions. Check it weekly. A visual that shows "VM X has had no heartbeat for 48 hours" is far better than discovering a monitoring gap after an incident.
Tag your resources consistently for query efficiency. When you query across large workspaces, filtering by tag values in KQL (via the _ResourceTags field) is much faster than trying to filter by resource name patterns. Agree on a tagging taxonomy, environment, team, criticality, and apply it everywhere from day one.
- Enable the VM Insights solution (Azure Monitor > Virtual Machines > Insights), it deploys the agent, a DCR, and pre-built workbooks in one click for most common VM monitoring scenarios.
- Set a data retention policy immediately after creating a Log Analytics workspace, default 30 days often isn't enough for security or compliance teams, but you don't want to discover that at audit time.
- Use Azure Policy > Compliance to report on which resources are missing diagnostic settings, search for the built-in "Audit diagnostic setting" policy definitions and assign them as Audit-mode to get a compliance dashboard without enforcing anything yet.
- Connect your Azure Monitor workspace to Grafana using the built-in integration, it gives your operations team a familiar interface and lets you combine Azure metrics with Prometheus metrics from on-premises and other clouds in a single pane of glass.
Frequently Asked Questions About Azure Monitor
What exactly is Azure Monitor and what can it monitor?
Azure Monitor is Microsoft's unified observability service that collects, analyzes, and acts on telemetry from Azure services, virtual machines, Kubernetes clusters, applications, and hybrid/on-premises environments. It can monitor essentially anything in your Azure estate: VMs and infrastructure, PaaS services like App Service and Azure SQL, containerized workloads in AKS, live web applications via Application Insights, AI agents running in Microsoft Foundry or Copilot Studio, and even on-premises servers connected through Azure Arc. The platform consolidates metrics, logs, traces, and events so you don't need separate tools for each data type.
How do I collect data with Azure Monitor, where do I even start?
The starting point depends on what you're monitoring. For virtual machines, you install the Azure Monitor Agent and attach a Data Collection Rule (DCR) that specifies what to collect and where to send it. For managed Azure services (App Service, Key Vault, Azure SQL, etc.), you enable Diagnostic Settings on each resource and point them at a Log Analytics workspace. For Kubernetes, you enable Container Insights through Azure Monitor > Containers. For web applications, you add Application Insights instrumentation. In every case, data lands in either a Log Analytics workspace (for logs and traces, queried with KQL) or an Azure Monitor workspace (for Prometheus metrics, queried with PromQL).
Why is my Azure Monitor Log Analytics workspace showing no data after I set everything up?
The three most common causes are: (1) No Data Collection Rule is associated with your VM, the agent needs a DCR to know what to collect and where to send it; (2) Diagnostic Settings haven't been enabled on PaaS resources, these don't send data automatically; (3) The VM's managed identity is missing the Monitoring Metrics Publisher role on the DCR or the Log Analytics Contributor role on the workspace. Check all three before anything else. If those look correct, run search * | take 10 in Log Analytics to confirm the workspace itself can receive queries, then check the AMA event logs on the VM for connection errors.
What's the difference between a Log Analytics workspace and an Azure Monitor workspace?
A Log Analytics workspace stores logs and trace data, Windows events, syslog, Application Insights telemetry, diagnostic logs from Azure services, and you query it with KQL (Kusto Query Language). An Azure Monitor workspace is a newer resource type that stores Prometheus and OpenTelemetry metrics, queried with PromQL. For most traditional monitoring use cases (VM logs, app traces, Azure service diagnostics), you need a Log Analytics workspace. If you're running Kubernetes workloads and using Prometheus for metrics collection, you also need an Azure Monitor workspace. The two can coexist and both feed into Azure Monitor's analysis and alerting features.
How do I set up Azure Monitor for a hybrid environment with on-premises servers?
The recommended path is Azure Arc. By installing the Azure Arc agent on your on-premises or other-cloud VMs, they appear as Azure resources and get a system-assigned managed identity. From that point, you can install Azure Monitor Agent and attach DCRs to them exactly the same way as native Azure VMs. For environments with very large data volumes or intermittent connectivity, Microsoft offers the Azure Monitor Pipeline (a locally deployed data collection tier) that can buffer and forward data even when the connection to Azure is unreliable. Arc-connected machines show up in Azure Monitor under the same subscriptions and resource groups as your cloud resources, so you get a single view across everything.
Azure Monitor costs are getting out of control, how do I reduce them without losing visibility?
Start by running the Usage table query in Log Analytics: Usage | summarize TotalGB=sum(Quantity)/1024 by DataType | order by TotalGB desc, this shows you exactly which data types are consuming the most storage. Security events and verbose performance counters are usually the biggest offenders. In your DCR, reduce the performance counter collection frequency from every 10 seconds to every 60 seconds for non-critical counters. For security events, use the "Common" event set rather than "All" in the DCR's Windows Event Log configuration. Also check if the Basic Logs tier is available for high-volume, low-query tables like verbose diagnostic logs, it's significantly cheaper per GB with a 30-day retention and pay-per-query model rather than pay-per-ingestion.