Nowadays, Conditional Access (CA) policies can’t be missed in any organization. This blog post will discuss monitoring changes in Conditional Access policies with Defender for Cloud Apps alerts. Conditional Access policies are often well thought out before they are created.
However, changes are frequently made to these Conditional Access policies that deviate from the organizational baseline. Therefore this needs to be part of the Governance strategy of every organization. For example, a standard change that’s being made is users are being added to the exclusion list of a Conditional Access policy that requires MFA. This post will walk through the actions to configure alerts, followed by a look at the experience.
Note: Using Defender for Cloud Apps requires a Microsoft 365 E5 license or the EM+S E5 license. If you don't have an EMS E5 of Microsoft 365 E5 license, you can always use KQL queries in combination with log analytics workspace and alerts to send out an alert. This costs $1.50 per month.
Locating the Activity object
Since we don’t have Conditional Access as an App in Defender for Cloud Apps, we need to find out which Activity ID is related to our CA policy. You must create a new alert for every CA policy you want to monitor. I didn’t find any other way to monitor all policies simultaneously with Defender for Cloud Apps.
Before creating an alert for the Conditional Access policy that we want to monitor, we need to determine which Activity object ID belongs to the policy. Therefore I recommend you change the CA policy you wish to use in this example to gather the ID. This can be found under the Defender for Cloud Apps Portal > Investigate and click on the Activity log. Now find the log item showing the Conditional Access policy name you changed. In my case, it’s MFA-Trusted-Location. Copy the ID so we can use this one to create an alert.
Creating the e-mail/text message alert
Now that we have the Activity Object ID, we need to create a new policy. Within the Defender for Cloud Apps portal, navigate to Control > Policies. Now click on Create policy and choose Activity policy.
Now that we have the window to create a new activity policy fill in all the required fields as shown below. For the policy match/trigger, you must paste the Activity object ID you copied in the previous steps. Click on Create when you have filled in all the fields.
Testing the alert
When an admin changes the Conditional Access policy MFA-Trusted-Location, we will receive an e-mail within 5 minutes with some information. The e-mail includes the Activity name consists of the CA policy name, the User that changed the CA policy, and the activity time. There are also additional links to open the Defender for Cloud Apps portal.
I hope this allows you to control your organizational CA policies. Please don’t hesitate to share your experience and if you have found a way to create one policy to monitor all CA policy changes. Tip, don’t forget to turn on Continous Access Evaluation if you use Conditional Access in your organization.