General
This check monitors Conditional Access Policies in Entra ID for changes. Only the policy rules that you specify in Attic are monitored. In the event of a change, you will receive an alarm with the old and new values for each changed policy rule.
Rationale
This check can be used to monitor whether unintended and unwanted changes are being implemented, which would otherwise remain unnoticed for a long time.
Configuration
In Attic, you must set which policies should be monitored by Attic. To do this, open the status page of CHK-1168, and then add the values in the config. Values should be entered in the form of the Display Name of the policies.
Attic Fix
There is no fix available for this check. If a policy change occurs, you must manually check it and roll it back where necessary.
Manual instruction
Follow these steps to undo an unwanted change:
- Open Entra ID via https://entra.microsoft.com
- Go to Conditional Access
- Under Protection, Go to Policies
- Find the policy in question, validate that it has indeed been changed and restore it with old values received in Attic if necessary.
More information
This check was developed at the request of our partner NEH Group. We are grateful to our partners for this kind of constructive contributions!
In Dutch:
Comments
0 comments
Please sign in to leave a comment.