question

FitriAlmiraYasmin-5079 avatar image
0 Votes"
FitriAlmiraYasmin-5079 asked ·

Alert for Azure Policy Definition and Assignment Changes

I have an assigned policy in my subscription with Deny mode. However, somebody in my team keep changing this back to Audit. In another instance, my azure policy definition is also changed. Is there a way I can see who changed my policy definition and assignment? How to create alerts for these type of changes?

azure-policy
· 2
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @FitriAlmiraYasmin-5079,

Did you get chance to review the below response? Let me know if you have any further queries regarding it.

0 Votes 0 ·

Hi @FitriAlmiraYasmin-5079,

Hope the below information was helpful. Let me know if you have any further queries regarding it.

0 Votes 0 ·

1 Answer

tbgangav-MSFT avatar image
0 Votes"
tbgangav-MSFT answered ·

Hi @FitriAlmiraYasmin-5079,

Yes, there is a way to see who has changed a policy definition or assignment with the help of Activity logs. Below are the actions under which such changes are logged.

  • Action for change in policy definition - Microsoft.Authorization/policyDefinitions/write

  • Action for change in policy assignment - Microsoft.Authorization/policyAssignments/write

73728-image.png

73700-image.png

73821-image.png

For testing purpose, I have changed the names of both definition and assignment and could see those changes being tracked under activity log's properties.requestbody attribute.

You can create alerts by sending activity logs to Log Analytics workspace in two ways i.e., via Activity logs diagnostics settings or via legacy method and then you can configure log alert with the help of AzureActivity table.

Activity logs diagnostics settings way:
73778-image.png

73806-image.png

73757-image.png

Legacy way:
73758-image.png

Sample kusto query using AzureActivity table to just fetch policy definition write operations for a particular policy definition and done by a particular caller:
73798-image.png

Related reference:
Azure resource provider operations


image.png (67.6 KiB)
image.png (95.9 KiB)
image.png (89.5 KiB)
image.png (19.4 KiB)
image.png (64.2 KiB)
image.png (45.3 KiB)
image.png (54.0 KiB)
image.png (120.4 KiB)
· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI,

Thank you so much for the elaborate answer. This is indeed really helpful. I tried to recreate your solution in my environment. But, it does not work for me because my policy is assigned to a Management Group level. I found out that it's not currently not possible to create alert on MG's event logs. It's very unfortunate

0 Votes 0 ·