Query Details
Conditional Access Add Policy
Query
# Conditional Access Policy Addition ## Query Information #### Description This KQL query lists all conditional access policies that have been added. #### References - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-consumer-accounts - https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/ ## Sentinel ```KQL AuditLogs | where OperationName == "Add conditional access policy" | extend DeletedPolicy = TargetResources.[0].displayName, Actor = InitiatedBy.user.userPrincipalName | project TimeGenerated, Actor, DeletedPolicy, TargetResources ```
Explanation
This query retrieves information about conditional access policies that have been added. It filters the audit logs to only include entries where the operation name is "Add conditional access policy". It then extends the query to include the display name of the policy that was added and the user principal name of the person who initiated the addition. The final result includes the time the event was generated, the actor (user who made the change), the deleted policy, and the target resources.
Details
Bert-Jan Pals
Released: October 23, 2023
Tables
AuditLogs
Keywords
Conditional,Access,Policies,Added
Operators
whereextendproject