Use PowerShell to audit the Conditional Access Policies and alert via email

Conditional Access in Azure Active Directory needs no introduction. To read more information about Conditional Access, please refer to https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

In my recent assignment, there was an ask to back up the conditional access policies every day and also notify through email for a list of conditional policies that are created or modified in the last 24 hours.

I know that there are many blog posts out there to monitor the conditional access policies by enabling the diagnostic settings (export the audit logs), creating logic apps, power automate and other tools in a programmatic way and alert instantly, but that needs subscription and other extra components to achieve it. What if you don’t have any subscription or extra components in place but you like to monitor the CA policies using built-in tools such as PowerShell script?

In this blog post, I will show you how to backup the conditional access policy and notify email with a list of policies that are changed or modified. Using this solution, won’t alert you the changes instantly but notify the changes at a scheduled interval.

We will use the built-in Azure AD preview PowerShell cmdlet Get-AzureADMSConditionalAccessPolicy to get the Azure Active Directory conditional access policies.

Why preview? There are some important details about the CA policy such as the creation date, modified date available only in preview at the time of writing this blog post.


image

To ease your BAU tasks, this script is useful. You need to edit the script with email information such as sender, receiver, SMTP, user account to connect to Azure AD (encrypted format), etc.

Once you define all the variables, you can schedule the task to run every 24 hours for email notifications.
You can run the script with a least-privileged account such as a global reader or any equivalent account that has read access to Conditional Access Policies.

This script needs the Azure AD PowerShell module to be pre-installed on the device where you run the script.
The output of the script will look like something below.

Conditional Access policy changes file:

Email notification incase any changes to the conditional Access policies

and finally the script can be downloaded from GitHub here

You can always customize the script to suite your needs.

Hope you find this post useful!

4 Responses to "Use PowerShell to audit the Conditional Access Policies and alert via email"

    1. Hi,
      you can use audit logs to see who modified the policy.
      The script will audit the changes made to the CA policies and record it.

      Thanks,
      Eswar

      Reply

Leave a Reply