Verify that Activity Log Alert exists for Delete Policy Assignment

Framework Reference: A.8.16 Integration: Azure – Activity Log Alerts

Why this matters

Azure Policy Assignments enforce organizational controls across cloud resources. Deleting these assignments weakens compliance enforcement, can permit drift from security baselines, and increases risk exposure.

By monitoring Microsoft.Authorization/policyAssignments/delete events, your organization gains real-time insight into attempts to remove policy enforcement and can react immediately to unauthorized or accidental changes.

What this check does

This Auto Check verifies whether an Activity Log Alert exists in your Azure environment that captures deletion events of Policy Assignments.

Check Logic:
Pass if an enabled alert exists with:

• Category = Administrative

• Operation name = Microsoft.Authorization/policyAssignments/delete

• No filters applied on Level, Status, or Caller

• An Action Group is assigned for notification

Fail if:

• No such alert is configured

• Alert is misconfigured (e.g., wrong operation, no action group, or disabled)

How to fix it

Set up the required Activity Log Alert using one of the following methods:

1. Via Azure Portal:

2. Go to Monitor > Alerts > Alert rules

3. Click Create > Alert rule

4. Choose the target Subscription

5. Under Condition, click See all signals

6. Select Delete policy assignment
   Operation = Microsoft.Authorization/policyAssignments/delete
   Category = Administrative

7. Under Actions, assign or create an Action Group

8. Under Details, define alert name, description, and resource group

9. Click Review + create, then Create

Via Azure CLI:

az monitor activity-log alert create \  --name "<activity log rule name>" \  --resource-group "<resource group name>" \  --scope "/subscriptions/<subscription ID>" \  --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/delete \  --action-group <action group ID> \  --enabled true 

Via PowerShell:

$conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Administrative" -Field "category" $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Microsoft.Authorization/policyAssignments/delete" -Field "operationName" $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Verbose" -Field "level" $actionGroup = Get-AzActionGroup -ResourceGroupName "<resource group name>" -Name "<action group name>" $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id $scope = "/subscriptions/<subscription ID>" New-AzActivityLogAlert -Name "<activity log alert rule name>"  -ResourceGroupName "<resource group name>"  -Condition $conditions  -Scope $scope  -Location "global"  -Action $actionObject  -Subscription "<subscription ID>" `  -Enabled $true

Replace placeholder values as needed.

Exceptions

There are no acceptable exceptions unless policy enforcement is managed externally with equivalent alerting. If so, document this clearly for audit purposes.

Further resources

• Azure Activity Log Alerting

• REST API – Create Activity Log Alert

• Azure Security Benchmark – Logging & Threat Detection

• Azure Policy Overview