Microsoft Azure – Create Alert For Conditional Access Policy Changes
In this article, we will look into the process of creating an alert for Conditional Access Policy Changes. Conditional Access brings signals together, to make decisions, and enforce organizational policies.
This alert detects :
- Creation of a New Conditional Access Policy,
- Deletion of a Conditional Access Policy,
- Changes to any current Conditional Access Policy.
- Log Analytics Workspace
- Contributor Access on Subscription or Resource Group to create alerts.
Follow the below steps to enable alter on conditional policy changes:
Step 1: Login to Azure Portal
Step 2: Navigate to select Log Analytics Workspace >> from left menu select Logs >> Copy the below Search Query and Add Query (Copy the below Search Query) >> Click on Run (Refer Output Screenshot)
AuditLogs | where Category == "Policy" and LoggedByService == "Conditional Access" | project ActivityDateTime, InitiatedBy.user.userPrincipalName, TargetResources.displayName, ActivityDisplayName
Step 3: After running the Query, from top-right Click on + New alert rule. Then, click on Condition name and set up the required.
- Alert Logic: Number of results
- Operator: Greater than
- Threshold value : 0
- Period (in minutes) : 15
- Frequency (in minutes) : 15
Now Click on “OK”
Step 4: Add Action Group and Configure Notification >> click on Add action group and fill in the following details.
- Subscription: Provide the Select Subscription
- Resource group: Provide Select Resource group
- Action group name : Select Requested Action Group (for example: security-notification)
- Display name : conditAccess
- Notification type : Email/SMS message/Push/Voice
- Name: Email-Action
- Select : Email >> email@example.com
After filling up the required changes click on save changes.
Customize actions : Email Subject >> Add Subject line >> “Conditional Access Changes Detected – Alert”
Alert rule details:
- Alert rule name: Conditional Access Changes Detected
This alert detects:
- Creation of a New Conditional Access Policy
- Deletion of a Conditional Access Policy
- Changes to any current Conditional Access Policy
- Resource group: Select same as Scope Resource Group
- Severity: 2 Warning
- Automatically resolve alerts: false
- Suppress alerts: false
Step 5: Click on Review and Create. Once the alert is triggered, configured email user will be notified about the alert details.
That’s it, you are done. At this point, we have successfully enabled email alert whenever there are any conditional policy changes.