Hi anonymous user,
Yes, there is a way to see who has changed a policy definition or assignment with the help of Activity logs. Below are the actions under which such changes are logged.
- Action for change in policy definition - Microsoft.Authorization/policyDefinitions/write
- Action for change in policy assignment - Microsoft.Authorization/policyAssignments/write
For testing purpose, I have changed the names of both definition and assignment and could see those changes being tracked under activity log's properties.requestbody attribute.
You can create alerts by sending activity logs to Log Analytics workspace in two ways i.e., via Activity logs diagnostics settings or via legacy method and then you can configure log alert with the help of AzureActivity table.
Activity logs diagnostics settings way:
Legacy way:
Sample kusto query using AzureActivity table to just fetch policy definition write operations for a particular policy definition and done by a particular caller:
Related reference:
Azure resource provider operations