Description:
Create an activity log alert for the Create Policy Assignment event.
Rationale:
Monitoring for create policy assignment events gives insight into changes done in "Azure policy - assignments" and can reduce the time it takes to detect unsolicited changes.
From Azure Portal
From Azure CLI
az monitor activity-log alert create --resource-group "" --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/write and level=<verbose | information | warning | error | critical> --scope "/subscriptions/" --name "" --subscription --action-group --location global
From PowerShell
Create the 'conditions' object.
$conditions = @()
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Authorization/policyAssignments/write -Field operationName
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level
Get the 'Action Group' information and store it in a variable, then create a new 'Action' object.
$actionGroup = Get-AzActionGroup -ResourceGroupName -Name
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id
Create the 'Scope' variable.
$scope = "/subscriptions/"
Create the 'Activity Log Alert Rule' for 'Microsoft.Authorization/policyAssignments/write'
New-AzActivityLogAlert -Name "" -ResourceGroupName "" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription -Enabled $true