Watch a video on Entra ID Change Detection.

You can configure an Entra ID Custom Change Detection policy to detect changes in an Entra ID tenant based on users, service principals, or roles. You can also notify specific users via email if the configured changes are detected.

To create an Entra ID Custom Change Detection policy:

1. Go to ITDR > Manage > Change Detection > Entra.

2. Click Add Policy.

   See image.

   

   Close

   The Policy Details window appears.

3. In the Policy Details window:

   • Policy Name: Enter a name for the policy.
   • Tenant: Select an Entra ID tenant from the drop-down menu to which the policy must be applied.

   See image.

   

   Close

4. Click Save.

   The policy is added to the table.

5. Locate the policy that you added, and click the Edit icon under the Actions column.

   See image.

   

   Close

   The policy configuration window appears.

   See image.

   

   Close

6. In the policy configuration window, configure the required properties using which changes must be detected:
   • Users

     To detect changes based on user properties, go to Users and follow these steps:

     1. Select Enabled and click Save.

     2. Click Add User.

        See image.

        

        Close

        The Add User window appears.

     3. In the Add User window:

        1. Identity Name: Select an Entra ID user that must be monitored for changes from the drop-down menu.
        2. Change Type: Select the changes (Role Assignments, Password Changes, Changes in MFA, Being marked 'Risky', Delegated consent grants to applications, Administrative Units, and Group Memberships) that you want to detect for the selected identity.

        See image.

        

        Close

     4. Click Save.

     Close
   • Service Principals

     To detect changes based on service principal properties, go to Service Principal and follow these steps:

     1. Select Enabled and click Save.

     2. Click Add Service Principal.

        See image.

        

        Close

        The Add Service Principal window appears.

     3. In the Add Service Principal window:

        1. Identity Name: Select a service principal that must be monitored for changes from the drop-down menu.
        2. Change Type: Select the changes (Changes to secret/cert, Added/revoked Admin Consent, and Changed ownership) that you want to detect for the selected identity.

        See image.

        

        Close

     4. Click Save.

     Close
   • Roles

     To detect changes based on role properties, go to Role and follow these steps:

     1. Select Enabled and click Save.

     2. Click Add Role.

        See image.

        

        Close

        The Add Role window appears.

     3. In the Add Role window:

        1. Identity Name: Select a role that must be monitored for changes from the drop-down menu.
        2. Change Type: Select the changes (Additions and removals) that you want to detect for the selected identity.

        See image.

        

        Close

     4. Click Save.

     Close
   • Notify

     To notify specific users via email when the changes are detected by the policy conditions, go to Notify and follow these steps:

     1. Select Enabled.

     2. Users: Select the users that you want to notify for changes to the Entra ID tenant matching the policy conditions from the drop-down menu.

        See image.

        

        Close

     3. Click Save.

     Close

The policy is added, and the changes in the Entra ID tenant will be detected based on the policy configuration.