Verify that Activity Log Alert exists for Delete Policy Assignment

Framework Reference: A.8.16 Integration: Azure – Activity Log Alerts

Why this matters

Azure Policy Assignments enforce organizational controls across cloud resources. Deleting these assignments weakens compliance enforcement, can permit drift from security baselines, and increases risk exposure.

By monitoring Microsoft.Authorization/policyAssignments/delete events, your organization gains real-time insight into attempts to remove policy enforcement and can react immediately to unauthorized or accidental changes.

What this check does

This Auto Check verifies whether an Activity Log Alert exists in your Azure environment that captures deletion events of Policy Assignments.

Check Logic:
Pass if an enabled alert exists with:

Category = Administrative
Operation name = Microsoft.Authorization/policyAssignments/delete
No filters applied on Level, Status, or Caller
An Action Group is assigned for notification

Fail if:

No such alert is configured
Alert is misconfigured (e.g., wrong operation, no action group, or disabled)

How to fix it

Set up the required Activity Log Alert using one of the following methods:

Via Azure Portal:
Go to Monitor > Alerts > Alert rules
Click Create > Alert rule
Choose the target Subscription
Under Condition, click See all signals
Select Delete policy assignment
Operation = Microsoft.Authorization/policyAssignments/delete
Category = Administrative
Under Actions, assign or create an Action Group
Under Details, define alert name, description, and resource group
Click Review + create, then Create

Via Azure CLI:

az monitor activity-log alert create \ --name "<activity log rule name>" \ --resource-group "<resource group name>" \ --scope "/subscriptions/<subscription ID>" \ --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/delete \ --action-group <action group ID> \ --enabled true

Via PowerShell:

$conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Administrative" -Field "category" $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Microsoft.Authorization/policyAssignments/delete" -Field "operationName" $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Verbose" -Field "level" $actionGroup = Get-AzActionGroup -ResourceGroupName "<resource group name>" -Name "<action group name>" $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id $scope = "/subscriptions/<subscription ID>" New-AzActivityLogAlert -Name "<activity log alert rule name>" ` -ResourceGroupName "<resource group name>" ` -Condition $conditions ` -Scope $scope ` -Location "global" ` -Action $actionObject ` -Subscription "<subscription ID>" ` -Enabled $true

Replace placeholder values as needed.

Exceptions

There are no acceptable exceptions unless policy enforcement is managed externally with equivalent alerting. If so, document this clearly for audit purposes.