Conditional Access Policy Addition
Conditional Access Add Policy
Query
AuditLogs
| where OperationName == "Add conditional access policy"
| extend DeletedPolicy = TargetResources.[0].displayName, Actor = InitiatedBy.user.userPrincipalName
| project TimeGenerated, Actor, DeletedPolicy, TargetResourcesAbout this query
Conditional Access Policy Addition
Query Information
Description
This KQL query lists all conditional access policies that have been added.
References
- https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-consumer-accounts
- https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/
Sentinel
Explanation
This KQL query is designed to identify and list all instances where a conditional access policy has been added in an Azure environment. Here's a simple breakdown of what the query does:
-
Data Source: It pulls data from the
AuditLogs, which contains records of various operations performed within Azure. -
Filter: The query specifically looks for log entries where the operation performed is "Add conditional access policy". This means it focuses only on events related to the creation of new conditional access policies.
-
Extract Information:
- It extracts the name of the policy that was added (
DeletedPolicy) from the first item in theTargetResourcesarray. - It also retrieves the user principal name of the person who initiated the addition of the policy (
Actor).
- It extracts the name of the policy that was added (
-
Output: The query then projects (or selects) a few key pieces of information to display:
TimeGenerated: The timestamp of when the policy was added.Actor: The user who added the policy.DeletedPolicy: The name of the policy that was added.TargetResources: The resources targeted by the policy.
In summary, this query helps administrators track when new conditional access policies are added, who added them, and what those policies are targeting.
Details

Bert-Jan Pals
Released: November 17, 2023
Tables
Keywords
Operators