Open In App

Microsoft Azure – Create Alert For Conditional Access Policy Changes

Improve
Improve
Like Article
Like
Save
Share
Report

In this article, we will look into the process of creating an alert for Conditional Access Policy Changes. Conditional Access brings signals together, to make decisions, and enforce organizational policies. 

This alert detects :

  1. Creation of a New Conditional Access Policy,
  2. Deletion of a Conditional Access Policy,
  3. Changes to any current Conditional Access Policy.

Prerequisite:

  • Log Analytics Workspace
  • Contributor Access on Subscription or Resource Group to create alerts.

Implementation: 

Follow the below steps to enable alter on conditional policy changes:

Step 1: Login to Azure Portal

Step 2: Navigate to select Log Analytics Workspace >> from left menu select Logs >> Copy the below Search Query and Add Query (Copy the below Search Query) >> Click on Run (Refer Output Screenshot)

Search Query:

AuditLogs
| where Category == "Policy" and LoggedByService == "Conditional Access"
| project ActivityDateTime, InitiatedBy.user.userPrincipalName, TargetResources[0].displayName, ActivityDisplayName

Output:

Step 3: After running the Query, from top-right Click on + New alert rule. Then, click on Condition name and set up the required.

  • Alert Logic: Number of results
  • Operator: Greater than
  • Threshold value : 0

  • Period (in minutes) : 15
  • Frequency (in minutes) : 15

Now Click on “OK”

Step 4: Add Action Group and Configure Notification >> click on Add action group and fill in the following details.

Action Group:

  • Subscription: Provide the Select Subscription
  • Resource group: Provide Select Resource group
  • Action group name : Select Requested Action Group (for example: security-notification)
  • Display name : conditAccess

Notification:

  • Notification type : Email/SMS message/Push/Voice
  • Name: Email-Action
  • Select : Email >> security@domain.com

After filling up the required changes click on save changes.

Customize actions : Email Subject >> Add Subject line >> “Conditional Access Changes Detected – Alert”

Alert rule details:

  • Alert rule name: Conditional Access Changes Detected

Description:

This alert detects:

  1. Creation of a New Conditional Access Policy
  2. Deletion of a Conditional Access Policy
  3. Changes to any current Conditional Access Policy
  • Resource group: Select same as Scope Resource Group
  • Severity: 2 Warning
  • Automatically resolve alerts: false
  • Suppress alerts: false

Step 5: Click on Review and Create. Once the alert is triggered, configured email user will be notified about the alert details.

That’s it, you are done. At this point, we have successfully enabled email alert whenever there are any conditional policy changes.


Last Updated : 30 Mar, 2023
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads