Query Details

Microsoft Entra Conditional Access Policy Exclusion Modification

Query

// CAP Exludes
AuditLogs
| where OperationName in ("Update conditional access policy", "Create conditional access policy")
| where Result == "success"
| mv-expand TargetResource = TargetResources
| mv-expand ModifiedProperty = TargetResource.modifiedProperties
| where ModifiedProperty.displayName == "PolicyDetail"
| extend OldPolicy = todynamic(tostring(ModifiedProperty.oldValue))
| extend NewPolicy = todynamic(tostring(ModifiedProperty.newValue))
// Extract Excludes
| extend OldExclusions = OldPolicy.conditions.users.excludeGroups
| extend NewExclusions = NewPolicy.conditions.users.excludeGroups
| extend OldExcludedUsers = OldPolicy.conditions.users.excludeUsers
| extend NewExcludedUsers = NewPolicy.conditions.users.excludeUsers
// check for added Excludes
| where array_length(NewExclusions) > array_length(OldExclusions) 
     or array_length(NewExcludedUsers) > array_length(OldExcludedUsers)
| project TimeGenerated, InitiatedBy = Identity, PolicyName = TargetResource.displayName, OldExclusions, NewExclusions, OldExcludedUsers, NewExcludedUsers

About this query

Microsoft Entra Conditional Access Policy Exclusion Modification

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1556.009Modify Authentication Process: Conditional Access Policieshttps://attack.mitre.org/techniques/T1556/009/
T1484Domain or Tenant Policy Modificationhttps://attack.mitre.org/techniques/T1484

Description

This rule detects modifications to Microsoft Entra ID Conditional Access policies where users or groups are added to the exclusion list. Such modifications can be used by adversaries to bypass security controls and facilitate persistence or lateral movement by ensuring specific accounts or groups are not subject to MFA or other authentication requirements.

Author <Optional>

References

Defender XDR

Explanation

This query is designed to detect changes made to Microsoft Entra ID Conditional Access policies, specifically focusing on instances where users or groups are added to the exclusion list. Such modifications can potentially be exploited by attackers to bypass security measures like Multi-Factor Authentication (MFA), allowing them to maintain access or move laterally within a network without triggering security alerts.

Here's a simplified breakdown of what the query does:

  1. Data Source: It examines audit logs for operations related to updating or creating conditional access policies.

  2. Success Filter: It filters these logs to only include successful operations.

  3. Policy Details: The query expands the details of the target resources and their modified properties to focus on changes made to the "PolicyDetail".

  4. Old vs. New Policy: It extracts and compares the old and new policy details, specifically looking at the lists of excluded groups and users.

  5. Detect Changes: The query checks if there are more exclusions (either groups or users) in the new policy compared to the old one.

  6. Output: If additional exclusions are detected, it outputs relevant information such as the time of the change, who initiated it, the policy name, and the details of the old and new exclusions.

This helps security teams identify potentially suspicious modifications to conditional access policies that could indicate an attempt to weaken security controls.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: July 12, 2026

Tables

AuditLogs

Keywords

MicrosoftEntraConditionalAccessPolicyExclusionModificationAuditLogsOperationNameResultTargetResourceModifiedPropertyPolicyDetailOldPolicyNewPolicyExcludesExclusionsExcludedUsersTimeGeneratedInitiatedByPolicyName

Operators

//|in==mv-expandextendtodynamictostringwherearray_lengthorproject

MITRE Techniques

Actions

GitHub