A script that will enable diagnostics on network security groups. This will add the logs to a specific storage account.

Enable-AzureNSGDiagnostics.ps1

Param
(
	[string]$StorageAccountName,
	[string]$StorageAccountResourceGroup
)

try
{
	$ErrorActionPreference = "Stop"
	$Error.Clear()

	$StorageAccount = Get-AzureRmStorageAccount -ResourceGroupName $StorageAccountResourceGroup -Name $StorageAccountName
	$NetworkSecurityGroups = Get-AzureRmNetworkSecurityGroup

	foreach ($NetworkSecurityGroup in $NetworkSecurityGroups)
	{
		$DiagnosticSettings = Get-AzureRmDiagnosticSetting -ResourceId $NetworkSecurityGroup.Id
		if ($DiagnosticSettings.StorageAccountId -eq $null)
		{
			if($NetworkSecurityGroup.ResourceGroupName.Contains($StorageAccountResourceGroup))
			{
				Set-AzureRmDiagnosticSetting -ResourceId $NetworkSecurityGroup.Id -StorageAccountId $StorageAccount.Id -Enabled $true -Categories 'NetworkSecurityGroupEvent','NetworkSecurityGroupRuleCounter'
			}
		}
	}
}
catch
{
	Write-Output $Error
}