User should have a 'Create Policy Assignment' activity log alert configured

Warning: This rule will be deprecated 18 December 2023 as part of the update to Azure CIS version 2.0.0


Create an activity log alert for the Create Policy Assignment event.


Monitoring for create policy assignment events gives insight into changes done in “azure policy - assignments” and can reduce the time it takes to detect unsolicited changes.


From the console

  1. Go to Monitor.
  2. Select Alerts.
  3. Click On New Alert Rule.
  4. Under Scope, click Select Resource.
  5. Select the appropriate subscription under Filter by Subscription.
  6. Select Policy Assignment under Filter by Resource Type.
  7. Select All for Filter by Location.
  8. Click on the subscription resource from the entries populated under Resource.
  9. Verify selection preview shows All Policy assignment (policyAssignments) and your selected subscription name.
  10. Click Done.
  11. Under Condition click Add Condition.
  12. Select Create Policy Assignment signal.
  13. Click Done.
  14. Under Action Group, select Add Action Groups and complete creation process or select appropriate action group.
  15. Under Alert Rule Details, enter Alert Rule Name and Description.
  16. Select appropriate resource group to save the alert to.
  17. Check Enable alert rule upon creation checkbox.
  18. Click Create Alert Rule.

From the Azure Command Line Interface

To create an Activity Log Alert for Create policy, use this command:

az account get-access-token --query
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1
bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type:
_Name>?api-version=2017-04-01 -d@"input.json"

Where input.json contains the request body JSON data mentioned below:

	"location": "Global",
	"tags": {},
	"properties": {
		"scopes": [
		"enabled": true,
		"condition": {
			"allOf": [{
					"containsAny": null,
					"equals": "Administrative",
					"field": "category"
					"containsAny": null,
					"equals": "Microsoft.Authorization/policyAssignments/write",
					"field": "operationName"
		"actions": {
			"actionGroups": [{
				"actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>",
				"webhookProperties": null

Configurable parameters for the command line include the following:

  • <Resource_Group_To Create_Alert_In>
  • <Unique_Alert_Name>

Configurable parameters for input.json include the following:

  • <Subscription_ID> in scopes
  • <Subscription_ID> in actionGroupId
  • <Resource_Group_For_Alert_Group> in actionGroupId
  • <Alert_Group> in actionGroupId