Description

Create an activity log alert for the Create Policy Assignment event.

Rationale

Monitoring for create policy assignment events gives insight into changes done in "Azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.

Audit

From Azure Portal

Navigate to the Monitor blade.
Click on Alerts.
In the Alerts window, click on Alert rules.
Ensure an alert rule exists where the Condition column contains Operation name=Microsoft.Authorization/policyAssignments/write.
Click on the Alert Name associated with the previous step.
Ensure the Condition panel displays the textWhenever the Activity Log has an event with Category='Administrative', Operation name='Create policy assignment' and does not filter on Level, Status or Caller.
Ensure the Actions panel displays an Action group is assigned to notify the appropriate personnel in your organization.

From Azure CLI

az monitor activity-log alert list --subscription <subscription ID> --query "[].{Name:name,Enabled:enabled,check:condition.allOf,Actions:actions}"

Look for Microsoft.Authorization/policyAssignments/write in the output. If it's missing, generate a finding.

From PowerShell

Get-AzActivityLogAlert -SubscriptionId <subscription ID>|where-object {$_.ConditionAllOf.Equal -match "Microsoft.Authorization/policyAssignments/write"}|select-object Location,Name,Enabled,ResourceGroupName,ConditionAllOf

If the output is empty, an alert rule for Create Policy Assignments is not configured.

From Azure Policy

If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.

Policy ID: c5447c04-a4d7-4ba8-a263-c9ee321a6858 - Name: An activity log alert should exist for specific Policy operations

Default Value

By default, no monitoring alerts are created.

Rationale​

Audit​

From Azure Portal​

From Azure CLI​

From PowerShell​

From Azure Policy​

Default Value​

References​