Description:

Create an Azure Activity Log Alert to detect when a Policy Assignment is deleted in a subscription. This ensures visibility into governance changes and prevents unnoticed removal of policy enforcement.


Rationale:

Monitoring delete events for Policy Assignments provides insight into changes made within Azure Policy – Assignments and helps reduce the time needed to detect unauthorized or accidental deletions. This improves security posture and ensures governance controls are restored quickly.


Impact:

Enabling this alert provides immediate notification when policy assignments are deleted, improving visibility and control. It helps detect unauthorized changes, supports compliance audits, reduces security risks, and enables faster incident response to policy enforcement gaps.


Default value:

By default, no monitoring alerts are configured for deleting Policy Assignments in Azure.


Test Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com 

  2. Navigate to Monitor

  3. Select Alerts

  4. Open Alert rules

  5. Verify an Activity Log Alert exists for the operation "Delete policy assignment"

  6. Verify the alert scope is set to the required subscription

  7. Verify that an Action Group is associated

  8. If no alert exists or the scope is incorrect, follow the implementation steps


Implementation steps:

  1. Sign in to the Azure Portal at https://portal.azure.com 

  2. Navigate to Monitor

  3. Select Alerts

  4. Click Create and select Alert rule

  1. Under Scope, select the target subscription

  2. Under Condition, select Activity Log

  3. Set Category to Policy

  4. Under Condition, click See all signals, search for Operation name "Delete policy assignment", and select the signal.

  1. Apply the condition

  2. Under Actions, select an existing Action Group or create a new one

  3. Under Details, select a resource group and provide an alert rule name

  1. Click Review + Create

  2. Click Create


Backout Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com 

  2. Navigate to Monitor

  3. Select Alerts

  4. Open Alert rules

  5. Locate the Activity Log Alert for "Delete policy assignment."

  6. Delete the alert rule

  7. Confirm the deletion


Reference: