Rules Contributing to Microsoft Entra Changes to Conditional Access Policy Alert

The following rules are used to identify suspicious Microsoft Entra changes to conditional access policy. Any one or more of these will trigger the Microsoft Entra Changes to Conditional Access Policy Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

New CA Policy by Non-Approved Actor

Monitor and alert on conditional access changes.

CA Policy Updated by Non-Approved Actor

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

User Added to Group with CA Policy Modification Access

Monitor and alert on group membership additions of groups that have CA policy modification access

CA Policy Removed by Non-Approved Actor

Monitor and alert on conditional access changes where non approved actor removed CA Policy.