Ensure that Activity Log Alert exists for Delete Policy Assignment

From Azure Console

1. Navigate to the Monitor blade.
2. Select Alerts.
3. Select Create.
4. Select Alert Rule.
5. Under Scope, click Select scope.
6. Select your subscription and click Apply.
7. Select the Condition tab.
8. Under Signal name, click Delete Policy Assignment (Microsoft.Authorization/policyAssignments).
9. Select the Actions tab.
10. Click Done.
11. To use an existing action group, click Select action groups. To create a new action group, click Create action group. Fill out the appropriate details for the selection.
12. Select the Details tab.
13. Select a Resource Group, provide an Alert rule name and an optional Alert rule description.
14. Click Review + create.
15. Click Create.

Using Azure Command Line Interface

Use the below command to create an Activity Log Alert for Delete Policy Assignment.

az monitor activity-log alert create --resource-group "<resource group name" --condition category=Administrative and operationName=Microsoft.Authorization/policyAssignments/delete and level=verbose --scope "/subscriptions/<subscription ID>" --name "<activity log rule name>" --subscription <subscription ID> --action-group <action group ID> 

Using Azure Powershell

Create the conditions object.

$conditions = @() 
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Administrative -Field category 
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Microsoft.Authorization/policyAssignments/delete -Field operationName 
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal Verbose -Field level

Get the Action Group information and store it in a variable, then create a new Action object.

$actionGroup = Get-AzActionGroup -ResourceGroupName <rg_name> -Name <action group name>
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id

Create the scope variable.

$scope = "/subscriptions/<subscription ID>"

Create the Activity Log Alert Rule for Microsoft.Authorization/policyAssignments/delete.

New-AzActivityLogAlert -Name "<activity alert rule name>" -ResourceGroupName "<rg_name>" -Condition $conditions -Scope $scope -Location global -Action $actionObject -Subscription “<subscription ID>” -Enabled $true

Default Value

By default, no monitoring alerts are created.

References

1. https://learn.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log
2. https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate
3. https://learn.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid
4. https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation
5. https://azure.microsoft.com/en-us/services/blueprints/

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

• Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
• Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
• Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

• Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

• Execute the control-specific Console/CLI steps documented above for each flagged resource.
• Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

• Re-scan after each remediation batch.
• Track exceptions with owner and expiry date.
• Add preventive checks in IaC/CI pipelines.