Ensure that Activity Log Alert exists for Delete Policy Assignment

From Azure Console

1. Navigate to the Monitor blade.
2. Select Alerts.
3. Select Create.
4. Select Alert Rule.
5. Under Scope, click Select scope.
6. Select your subscription and click Apply.
7. Select the Condition tab.
8. Under Signal name, click Delete Policy Assignment (Microsoft.Authorization/policyAssignments).
9. Select the Actions tab.
10. Click Done.
11. To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection.
12. Select the Details tab.
13. Select a Resource Group, provide an Alert rule name and an optional Alert rule description.
14. Click Review + create.
15. Click Create.

Using Azure Command Line Interface

Use the below command to create an Activity Log Alert for Delete Policy Assignment.

az monitor activity-log alert create --resource-group "<resource group name" --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/delete and level=verbose --scope "/subscriptions/<subscription ID>" --name "<activity log rule name>" --subscription <subscription ID> --action-group <action group ID> 

Using Azure Powershell

Create the conditions object.

$conditions = @() 
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category 
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Authorization/policyAssignments/delete -Field operationName 
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level

Get the Action Group information and store it in a variable, then create a new Action object.

$actionGroup = Get-AzActionGroup -ResourceGroupName <rg_name> -Name <action group name>
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id

Create the scope variable.

$scope = "/subscriptions/<subscription ID>"

Create the Activity Log Alert Rule for Microsoft.Authorization/policyAssignments/delete.

New-AzActivityLogAlert -Name "<activity alert rule name>" -ResourceGroupName "<rg_name>" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription “<subscription ID>” -Enabled $true

Default Value

By default, no monitoring alerts are created.

References

1. https://learn.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
2. https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
3. https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
4. https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation
5. https://azure.microsoft.com/en-us/services/blueprints/

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
3. Re-scan and track approved exceptions with an owner and expiry date.