Change tracking for Conditional Access Policies
Support some kind of change tracking or auditing in regards to changes made for Conditional Access Policies?
This is in progress, you can see a preview when creating policy thought the Conditional Access API. Coming soon to polices created in the Conditional Access UX.
35 comments
-
Anonymous
commented
Please provide an update on the status - this is a must needed feature!
-
Anonymous
commented
Is there any update on this? I have used KQL query in L.A. workspaces and I can only get ALL policies to fire off an Alert against Audit Logging - this is cumbersome as then I have to go through the alerts and see if one is actually a Conditional Access Policy. Signin logs are a separate area, I am only interested in any changes made to a CAP and by who.
-
Rene Rangel
commented
Any update on this? "Coming soon" was stated early October 2020.
-
Thomas G
commented
Any update on this? "Coming soon" was stated early October 2020.
-
Mark
commented
@chris tyo: modifiedtime is always null in our case, so we can't use this method. Needs Microsoft to fix this for CA policies created in the portal.
-
Chris Tyo
commented
For those still looking for a solution for this, we ended up doing it ourselves based on modifiedtime from results of a graph API query --- https://docs.microsoft.com/en-us/graph/api/resources/conditionalaccesspolicy?view=graph-rest-1.0
-
Anonymous
commented
This is a thing, why is it not available?
-
Morris, Douglas
commented
How is this not a thing? Core security rules are not audited for changes?
-
Shannon Sandven
commented
Yes, this is a MUST have. Someone changed the way our conditional access policies behave and there are loads of issues we are having to work through because of it. I NEED to make sure that it wasn't me...lol
-
Anonymous
commented
At a minimum the Azure Portal should show when a Conditional Access Policy was altered and by whom...
-
Anonymous
commented
This is a major problem for such important functions as conditional access. Impossible to believe it was actually true.
-
Nigel Doodt
commented
This needs to be an absolute priority to be implemented. Security control 101.
-
Darragh O'Shaughnessy
commented
Just came across an issue. I can't believe 'Modified Properties' within the audit trail for Conditional Access Policies is still in preview. This is an enterprise platform :|
-
Philip
commented
Meanwhile there are ways to achieve this with Log Analytics and Alerts: https://tech.nicolonsky.ch/conditional-access-and-azure-log-analytics-in-harmony/
-
Sivakumar Ramalingam
commented
This is absolutely required - its a shame that this basic level of auditing is not yet implemented and its been on "planned" stage for this long.
If there is someone from @MSFT monitoring this thread, please provide an update.
-
John McCash
commented
So.... I'm almost afraid to ask this, but if they haven't been logging something this critical from the beginning, what ELSE aren't they logging? Has anyone done a comprehensive search through their logs looking for missing information in other types of change audit log entries?
-
Tom Perkins
commented
Any update on this? It's been well over a year since this was "planned"
-
Glynn, Karen
commented
We could desperately do with this as we have just had a breach and have no way of identifying when or who did it.
-
David Vernon
commented
This would solve many headaches for us (major bank)
-
GUISADO FERRER Ernesto
commented
+1