KQL Search

Query Details

Azure AD Conditional Access Policy Changes

Query

# Azure Active Directory - Conditional Access Changes

## Query Information

### Description

This query provides a simple overview of Conditional Access policy changes

```kql
AuditLogs
| where OperationName has_any("conditional access policy")
| project
    TimeGenerated,
    OperationName,
    policy=TargetResources[0].displayName,
    modifiedBy=InitiatedBy.user.userPrincipalName
```

Explanation

This query retrieves information about changes made to Conditional Access policies in Azure Active Directory. It includes the time the change was made, the type of operation performed (such as creating or modifying a policy), the name of the policy that was changed, and the user who made the change.

Details

Alex Verboon

Released: June 4, 2023

Tables

AuditLogs

Keywords

AuditLogs,OperationName,TargetResources,TimeGenerated,InitiatedBy

Operators

wherehas_anyproject

KQL Search

Azure AD Conditional Access Policy Changes

Query

Explanation

Details

Actions