Skip to content
Related Articles

Related Articles

Microsoft Azure – Create Alert For Conditional Access Policy Changes

Improve Article
Save Article
  • Last Updated : 16 Dec, 2021
Improve Article
Save Article

In this article, we will look into the process of creating an alert for Conditional Access Policy Changes. Conditional Access brings signals together, to make decisions, and enforce organizational policies. 

This alert detects :

  1. Creation of a New Conditional Access Policy,
  2. Deletion of a Conditional Access Policy,
  3. Changes to any current Conditional Access Policy.

Prerequisite:

  • Log Analytics Workspace
  • Contributor Access on Subscription or Resource Group to create alerts.

Implementation: 

Follow the below steps to enable alter on conditional policy changes:

Step 1: Login to Azure Portal

Step 2: Navigate to select Log Analytics Workspace >> from left menu select Logs >> Copy the below Search Query and Add Query (Copy the below Search Query) >> Click on Run (Refer Output Screenshot)

Search Query:

AuditLogs
| where Category == "Policy" and LoggedByService == "Conditional Access"
| project ActivityDateTime, InitiatedBy.user.userPrincipalName, TargetResources[0].displayName, ActivityDisplayName

Output:

Step 3: After running the Query, from top-right Click on + New alert rule. Then, click on Condition name and set up the required.

  • Alert Logic: Number of results
  • Operator: Greater than
  • Threshold value : 0

  • Period (in minutes) : 15
  • Frequency (in minutes) : 15

Now Click on “OK”

Step 4: Add Action Group and Configure Notification >> click on Add action group and fill in the following details.

Action Group:

  • Subscription: Provide the Select Subscription
  • Resource group: Provide Select Resource group
  • Action group name : Select Requested Action Group (for example: security-notification)
  • Display name : conditAccess

Notification:

  • Notification type : Email/SMS message/Push/Voice
  • Name: Email-Action
  • Select : Email >> security@domain.com

After filling up the required changes click on save changes.

Customize actions : Email Subject >> Add Subject line >> “Conditional Access Changes Detected – Alert”

Alert rule details:

  • Alert rule name: Conditional Access Changes Detected

Description:

This alert detects:

  1. Creation of a New Conditional Access Policy
  2. Deletion of a Conditional Access Policy
  3. Changes to any current Conditional Access Policy
  • Resource group: Select same as Scope Resource Group
  • Severity: 2 Warning
  • Automatically resolve alerts: false
  • Suppress alerts: false

Step 5: Click on Review and Create. Once the alert is triggered, configured email user will be notified about the alert details.

That’s it, you are done. At this point, we have successfully enabled email alert whenever there are any conditional policy changes.

My Personal Notes arrow_drop_up
Related Articles

Start Your Coding Journey Now!