Set up the azure.activity_log integration.
Create an activity log alert for the Delete Policy Assignment event.
By monitoring delete policy assignment events, you gain insight into changes in the Policy - Assignments page and reduce the time it takes to detect unsolicited changes.
policyAssignments) and your selected subscription name.az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json"
https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_To_Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@"input.json"
Where input.json contains the request body JSON data below:
{
"location": "Global",
"tags": {},
"properties": {
"scopes": [
"/subscriptions/<Subscription_ID>"
],
"enabled": true,
"condition": {
"allOf": [{
"containsAny": null,
"equals": "Administrative",
"field": "category"
},
{
"containsAny": null,
"equals": "Microsoft.Authorization/policyAssignments/delete",
"field": "operationName"
}
]
},
"actions": {
"actionGroups": [{
"actionGroupId": "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>",
"webhookProperties": null
}]
}
}
}
Configurable Parameters for command line:
<Resource_Group_To_Create_Alert_In><Unique_Alert_Name>Configurable Parameters for input.json:
<Subscription_ID> in scopes<Subscription_ID> in actionGroupId<Resource_Group_For_Alert_Group> in actionGroupId<Alert_Group> in actionGroupIdUsing PowerShell AZ cmdlets:
$ComplianceName = 'Delete Policy Assignment'
$Signal = 'Microsoft.Authorization/policyAssignments/delete'
$Category = 'Administrative'
$ResourceGroupName = 'MyResourceGroup'
$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)
$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)
$Subscription = (Get-AzContext).Subscription
$location = 'Global'
$scope = "/subscriptions/$($Subscription.Id)"
$alertName = "$($Subscription.Name) - $($ComplianceName)"
$conditions = @(
New-AzActivityLogAlertCondition -Field 'category' -Equal $Category
New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal
)
Set-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions