Detect suspicious conditional access policy modifications
Detect Suspicious Ca Changes
Query
N/AAbout this query
Explanation
This query is designed to detect suspicious changes to conditional access (CA) policies in Entra ID, which could indicate a security risk. Here's a simplified breakdown of what the query does:
-
Purpose: The query aims to identify when CA policies are weakened, such as when users or groups are removed from inclusion lists, added to exclusion lists, or when the policies themselves are disabled or deleted.
-
Data Sources: It analyzes audit logs from the past 24 hours to track changes in CA policies, named locations, and group memberships related to CA policies.
-
Key Checks:
- Policy Changes: It checks for updates or deletions of CA policies and compares the old and new configurations to identify if any security controls have been relaxed.
- Named Locations: It flags any additions or updates to trusted named locations, which could be used to bypass security measures.
- Group Memberships: It monitors changes in group memberships that are used in CA policies, specifically looking for members being removed from inclusion groups or added to exclusion groups.
-
Justification Check: The query also checks if these changes were justified through Privileged Identity Management (PIM) activations. It flags changes that were not justified by a PIM activation.
-
Output: The query outputs a list of suspicious changes, including the time of the change, the operation performed, the user who initiated the change, and the reasons why the change is considered suspicious.
Overall, this query helps security teams monitor and respond to potentially unauthorized or risky modifications to CA policies, which are critical for maintaining secure access controls.
Details

Robbe Van den Daele
Released: January 26, 2025
Tables
Keywords
Operators