Auditing Conditional Access policy changes in Microsoft Entra is essential for tracking who modified, added, or deleted policies—and for preserving organizational sanity during surprise compliance reviews. Here’s a simple step-by-step guide using the built-in audit logs and advanced options for deeper visibility
Steps to Audit Conditional Access Policy Changes
1. Log Into Microsoft Entra Admin Center
• Sign in with at least Reports Reader or Conditional Access Administrator privileges.
2. Go to Audit Logs
• Navigate to Entra ID > Monitoring & Health > Audit logs.
• Adjust the date range as needed to review recent or historical changes
3. Filter Policies & Activities
• Use the Service filter and select “Conditional Access.”
• Set the Activity filter to actions like “Add conditional access policy,” “Update conditional access policy,” or “Delete conditional access policy” to narrow your review.
4. Review Policy Change Details
• Click on a specific log entry for the details panel.
• On the Modified Properties tab, view exactly what was changed, with differences highlighted—and who changed them (user ID, timestamp, IP address).
• The inline view visualizes changes side-by-side for easy comparison.
5. Advanced Investigation (Optional)
• Use Log Analytics (Azure Monitor) for custom KQL query auditing. Example:
text
AuditLogs
| where OperationName == "Update Conditional Access policy"
Find changes under “TargetResources” and “modifiedProperties”.
• Create alerts or automated email notifications based on policy modifications to catch suspicious or unauthorized changes quickly.
6. Additional Tools
• Conditional Access insights and reporting allows for dashboard overviews and analysis of policy impact over time.
• ADAudit Plus, Microsoft365DSC, and Defender for Cloud Apps portals offer further options for tracking and exporting change records if enhanced reports are needed.
Best Practices
• Set up regular audits and change alerts for CA policies to avoid “policy surprise syndrome.”
• Always compare modified values and evaluate the impact before approving broad changes.
• Use the “What If” tool in Entra for policy impact simulation prior to implementation for safer rollouts.
With these steps, you can confidently track Conditional Access modifications, pinpoint the who/what/when of every change, and maintain airtight audit trails for every policy twist and turn.