Monitor Conditional Access Policies [CHK-1168]
This check monitors changes in Conditional Access Policies in Entra ID. Only the policy rules specified in Attic configuration are monitored. In the event of a change, an alarm is triggered with the old and new values for each changed policy rule.
Rationale
Monitoring Conditional Access Policies helps detect unintended and unwanted changes, which could otherwise remain unnoticed for a long time, potentially compromising the security of your organization's resources.
Fix
An automated fix is not available for this check. If a policy change occurs, you must manually check it and roll it back where necessary.
Manual steps:
- Open Entra ID via https://entra.microsoft.com
- Go to Conditional Access
- Under Protection, go to Policies
- Find the policy in question, validate that it has indeed been changed and restore it with old values received in Attic if necessary.
Impact
Restoring the policy to its previous state ensures that your organization's Conditional Access Policies continue to meet your security requirements.
More Information
This check was developed at the request of our partner NEH Group. For more information, visit https://neh.nl/neh-attic-samenwerking-verbeterde-cyberbeveiliging-woningcorporaties/.