Query Details
Who Changed Conditional Access Policy
Query
//Reporting when a Conditional Access Policy is updated and who did it AuditLogs | where OperationName == "Update policy" | extend Person = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | project Person
Explanation
This query is looking at the AuditLogs table to find instances where a Conditional Access Policy has been updated. It then extracts the user who initiated the update and displays their userPrincipalName.
Details
Rod Trent
Released: February 5, 2021
Tables
AuditLogs
Keywords
AuditLogs,OperationName,Update,Policy,InitiatedBy,Person,userPrincipalName
Operators
where==extendtostringparse_jsonproject