Verify that Activity Log Alert exists for Delete Policy Assignment
Why this matters
Azure Policy Assignments enforce organizational controls across cloud resources. Deleting these assignments weakens compliance enforcement, can permit drift from security baselines, and increases risk exposure.
By monitoring Microsoft.Authorization/policyAssignments/delete
events, your organization gains real-time insight into attempts to remove policy enforcement and can react immediately to unauthorized or accidental changes.
What this check does
This Auto Check verifies whether an Activity Log Alert exists in your Azure environment that captures deletion events of Policy Assignments.
Check Logic:
Pass if an enabled alert exists with:
- Category =
Administrative
- Operation name =
Microsoft.Authorization/policyAssignments/delete
- No filters applied on
Level
,Status
, orCaller
- An Action Group is assigned for notification
Fail if:
- No such alert is configured
- Alert is misconfigured (e.g., wrong operation, no action group, or disabled)
How to fix it
Set up the required Activity Log Alert using one of the following methods:
- Via Azure Portal:
- Go to Monitor > Alerts > Alert rules
- Click Create > Alert rule
- Choose the target Subscription
- Under Condition, click See all signals
- Select Delete policy assignment
Operation =Microsoft.Authorization/policyAssignments/delete
Category =Administrative
- Under Actions, assign or create an Action Group
- Under Details, define alert name, description, and resource group
- Click Review + create, then Create
Via Azure CLI:
az monitor activity-log alert create \
--name "<activity log rule name>" \
--resource-group "<resource group name>" \
--scope "/subscriptions/<subscription ID>" \
--condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/delete \
--action-group <action group ID> \
--enabled true
Via PowerShell:
$conditions = @()
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Administrative" -Field "category"
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Microsoft.Authorization/policyAssignments/delete" -Field "operationName"
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Verbose" -Field "level"
$actionGroup = Get-AzActionGroup -ResourceGroupName "<resource group name>" -Name "<action group name>"
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id
$scope = "/subscriptions/<subscription ID>"
New-AzActivityLogAlert -Name "<activity log alert rule name>" `
-ResourceGroupName "<resource group name>" `
-Condition $conditions `
-Scope $scope `
-Location "global" `
-Action $actionObject `
-Subscription "<subscription ID>" `
-Enabled $true
Replace placeholder values as needed.
Exceptions
There are no acceptable exceptions unless policy enforcement is managed externally with equivalent alerting. If so, document this clearly for audit purposes.