icon-itdr.svg
ITDR

Creating an Entra ID Custom Change Detection Policy

Watch a video on Entra ID Change Detection.

You can configure an Entra ID Custom Change Detection policy to detect changes in an Entra ID tenant based on users, service principals, or roles. You can also notify specific users via email if the configured changes are detected.

To create an Entra ID Custom Change Detection policy:

  1. Go to ITDR > Manage > Change Detection > Entra.
  2. Click Add Policy.

    The Policy Details window appears.

  3. In the Policy Details window:

    • Policy Name: Enter a name for the policy.
    • Tenant: Select an Entra ID tenant from the drop-down menu to which the policy must be applied.

  4. Click Save.

    The policy is added to the table.

  5. Locate the policy that you added, and click the Edit icon under the Actions column.

    The policy configuration window appears.

  6. In the policy configuration window, configure the required properties using which changes must be detected:
    • To detect changes based on user properties, go to Users and follow these steps:

      1. Select Enabled and click Save.
      2. Click Add User.

        The Add User window appears.

      3. In the Add User window:

        1. Identity Name: Select an Entra ID user that must be monitored for changes from the drop-down menu.
        2. Change Type: Select the changes (Role Assignments, Password Changes, Changes in MFA, Being marked 'Risky', Delegated consent grants to applications, Administrative Units, and Group Memberships) that you want to detect for the selected identity.

      4. Click Save.
      Close
    • To detect changes based on service principal properties, go to Service Principal and follow these steps:

      1. Select Enabled and click Save.
      2. Click Add Service Principal.

        The Add Service Principal window appears.

      3. In the Add Service Principal window:

        1. Identity Name: Select a service principal that must be monitored for changes from the drop-down menu.
        2. Change Type: Select the changes (Changes to secret/cert, Added/revoked Admin Consent, and Changed ownership) that you want to detect for the selected identity.

      4. Click Save.
      Close
    • To detect changes based on role properties, go to Role and follow these steps:

      1. Select Enabled and click Save.
      2. Click Add Role.

        The Add Role window appears.

      3. In the Add Role window:

        1. Identity Name: Select a role that must be monitored for changes from the drop-down menu.
        2. Change Type: Select the changes (Additions and removals) that you want to detect for the selected identity.

      4. Click Save.
      Close
    • To notify specific users via email when the changes are detected by the policy conditions, go to Notify and follow these steps:

      1. Select Enabled.
      2. Users: Select the users that you want to notify for changes to the Entra ID tenant matching the policy conditions from the drop-down menu.

      3. Click Save.
      Close

The policy is added, and the changes in the Entra ID tenant will be detected based on the policy configuration.

Related Articles
About Entra ID Change Detection PoliciesCreating an Entra ID Custom Change Detection PolicyEditing or Deleting an Entra ID Custom Change Detection Policy