Monitor Activity Log alert should be configured for ‘Delete Policy Assignment’

Description

Create an activity log alert for the Delete Policy Assignment event. Monitoring for Delete Policy Assignment events reduces the time for users to detect any unwanted changes to policy assignments.

Remediation Steps

Azure Portal

  • Navigate to Monitor > Alerts.

  • Select New alert rule.

  • Under Scope, click Select Resource.

  • Select your subscription.

  • Under Filter by resource type, select Policy assignment (policyAssignments).

  • Click on the subscription from the entries populated under Resource.

  • Verify that Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name.

  • Select Done.

  • Under Condition, click Add Condition.

  • In the search, enter the term “Delete policy assignment” and select Delete policy assignment (Microsoft.Authorization/policyAssignments).

  • Select Done.

  • Under Actions, click Add action groups.

  • Select the desired action group to attach to the alert rule, or create one if needed, and click Select.

  • Enter an alert rule name and description.

  • Select a resource group.

  • Check the Enable alert rule upon creation checkbox.

  • Click Create alert rule.

Azure CLI

  • Create a Monitor Activity Log Alert for Delete Policy Assignments, replacing <resource_group_name>, <subscription_id>, and <action_group> with your own values:

az monitor activity-log alert create --name deletePolicyAssignment \
  --resource-group <resource_group_name> \
  --condition category="Administrative" and \
  operationName="Microsoft.Authorization/policyAssignments/delete" \
  --scope "/subscriptions/<subscription_id>" \
  --action-group <action_group>