I am trying to enable Diagnostic Settings of subscriptions using a custom policy. But, the compliance report always shows 0/0; basically it is not identifying the subscriptions under a management group. To confirm this behavior, I created a custom policy, duplicating the BuiltIn policy "Enable Azure Security Center on your subscription". It is also showing 0/0. Is there any limitation to deploy something using a DeployIfNotExists policy at subscription level?
Azure Policy is capable of deploying resources at the Subscription level. Are you sure that your scope for the Policy Assignment is set at the parent Management group of your Subscriptions?
This should be what you are looking for. There are examples in this directory for creating diagnostic settings for Activity Logs on a Subscription that point to a Storage Account, Log Analytics Workspace, or an Eventhub. Below is a link for a deployIfNotExists policy that points to a Log Analytics Workspace.
https://github.com/Azure/Community-Policy/blob/master/Policies/Monitoring/deploy-diagnostic-setting-for-activity-log-log-analytics/azurepolicy.json (all credit for this policy to the original author)