How can we setup azure alert if deny action is recorded on azure policy? Is that possible only using log analytics?

Question

How can we setup azure alert if deny action is recorded on azure policy? Is that possible only using log analytics? Do we have easy way to setup those alerts so that we can get email instantly if any deny action performed

Answer 1

This could be achieved with ARG and the new support for that in an Azure Monitor Alert

https://techcommunity.microsoft.com/t5/azure-governance-and-management/announcing-the-public-preview-of-alerting-on-azure-resource/ba-p/3980771#:~:text=Here%20is%20a%20basic%20guide%20to%20help%20you,arg%20%28%22%22%29.Table_name%20as%20shown%20in%20the%20picture%20below.

Example ARG query:

policyresources
| where type == "microsoft.authorization/policydefinitions"
| extend effect = properties.parameters.effect.defaultValue
| extend displayName = properties.displayName
| where effect == "Deny"

Answer 2

@Techtester Microsoft.Authorization/policies/deny/action is a type of Azure activity log event that is generated when an Azure Policy denies an action on a resource.

When a policy is assigned to a resource, it can have a "deny" effect that prevents certain actions from being performed on the resource. When an action is denied by a policy, an Azure activity log event is generated with the Microsoft.Authorization/policies/deny/action event type.

This event type contains information about the policy that denied the action, the resource that the action was performed on, and the user or application that attempted to perform the action. This information can be used to monitor and audit policy compliance in your Azure environment.

You can try create an activity log alert for being notified whenever deny policy action takes place. On how to create activity log alert, you can refer this document.