Conditional Access Policy Change Diff and Restoration from Audit Logs

After spending an hour today figuring out when a specific change had happened to a Conditional Access Policy in production, I figured there has to be a faster way to do this. Spent some time playing around with the audit logs, and now I have a tool allowing me to compare a policy to any point in time.

I must say I am really happy with the end result! Check it out 🤓
Conditional Access policy change diff
Restore conditional access policies from audit log

Practice Verified Codes and Commands:

1. Extracting Audit Logs for Conditional Access Policies:

Get-AzureADAuditSignInLogs -Filter "createdDateTime gt 2023-10-01" | Where-Object { $_.ConditionalAccessPolicies -ne $null }

This command retrieves sign-in logs with Conditional Access Policies applied after October 1, 2023.

2. Comparing Policies Over Time:

$oldPolicy = Get-AzureADMSConditionalAccessPolicy -PolicyId "old-policy-id"
$newPolicy = Get-AzureADMSConditionalAccessPolicy -PolicyId "new-policy-id"
Compare-Object -ReferenceObject $oldPolicy -DifferenceObject $newPolicy -Property DisplayName, State, Conditions

This script compares two Conditional Access Policies by their IDs.

3. Restoring Policies from Audit Logs:

$auditLogs = Get-AzureADAuditDirectoryLogs -Filter "category eq 'Policy'" 
$policyToRestore = $auditLogs | Where-Object { $_.TargetResources -match "ConditionalAccessPolicy" } | Select-Object -First 1 
New-AzureADMSConditionalAccessPolicy -DisplayName "Restored Policy" -State $policyToRestore.State -Conditions $policyToRestore.Conditions

This command restores a policy from audit logs.

What Undercode Say:

Conditional Access Policies are critical for securing cloud environments, and tracking changes to these policies is essential for maintaining security compliance. By leveraging Azure AD audit logs, administrators can efficiently monitor and restore policies to previous states. The provided PowerShell commands simplify the process of extracting, comparing, and restoring policies, ensuring minimal downtime and enhanced security posture.

For further exploration, consider diving into Azure Monitor and Log Analytics for advanced auditing and monitoring capabilities. Additionally, integrating these practices with SIEM tools like Sentinel can provide real-time alerts and automated responses to policy changes.

Useful Links:

• Azure AD Conditional Access Documentation
• Azure Monitor Overview
• Microsoft Sentinel Documentation

By mastering these tools and commands, IT professionals can ensure robust security measures and streamline policy management in dynamic cloud environments.

References:

initially reported by: https://www.linkedin.com/posts/jorund-kaarstad-dahl_restore-condtitional-access-policies-from-activity-7301325683681615872-USRW – Hackers Feeds
Extra Hub:
Undercode AI