Account should have a configured activity log alert for deleting policy assignments

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0


Create an activity log alert for the Delete Policy Assignment event.


By monitoring delete policy assignment events, you gain insight into changes in the Policy - Assignments page and reduce the time it takes to detect unsolicited changes.


From the console

  1. Navigate to Monitor.
  2. Select Alerts.
  3. Click On New Alert Rule.
  4. Under Scope, click Select resource.
  5. Select the appropriate subscription under Filter by subscription.
  6. Select Policy Assignment under Filter by resource type.
  7. Select All for Filter by location.
  8. Click on the subscription from the entries populated under Resource.
  9. Verify that Selection preview shows All Policy assignments (policyAssignments) and your selected subscription name.
  10. Click Done.
  11. Under Condition, click Add Condition.
  12. Select Delete policy assignment signal.
  13. Click Done.
  14. Under Action group, select Add action groups and either complete the creation process or select the appropriate action group.
  15. Under Alert rule details, enter Alert rule name and Description.
  16. Select the appropriate resource group to save the alert to.
  17. Click on the Enable alert rule upon creation checkbox.
  18. Click Create alert rule.

From the command line

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json"$0/resourceGroups/<Resource_Group_To_Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@"input.json"

Where input.json contains the request body JSON data below:

	"location": "Global",
	"tags": {},
	"properties": {
		"scopes": [
		"enabled": true,
		"condition": {
			"allOf": [{
					"containsAny": null,
					"equals": "Administrative",
					"field": "category"
					"containsAny": null,
					"equals": "Microsoft.Authorization/policyAssignments/delete",
					"field": "operationName"
		"actions": {
			"actionGroups": [{
				"actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>",
				"webhookProperties": null

Configurable Parameters for command line:

  • <Resource_Group_To_Create_Alert_In>
  • <Unique_Alert_Name>

Configurable Parameters for input.json:

  • <Subscription_ID> in scopes
  • <Subscription_ID> in actionGroupId
  • <Resource_Group_For_Alert_Group> in actionGroupId
  • <Alert_Group> in actionGroupId

Using PowerShell AZ cmdlets:

$ComplianceName = 'Delete Policy Assignment'
$Signal = 'Microsoft.Authorization/policyAssignments/delete'
$Category = 'Administrative'
$ResourceGroupName = 'MyResourceGroup'
$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)
$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)
$Subscription = (Get-AzContext).Subscription
$location = 'Global'
$scope = "/subscriptions/$($Subscription.Id)"
$alertName = "$($Subscription.Name) - $($ComplianceName)"
$conditions = @(
  New-AzActivityLogAlertCondition -Field 'category' -Equal $Category
  New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal
Set-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions



Additional Information

  • This log alert also applies for Azure Blueprints.