Microsoft Entra Conditional Access Policy Exclusion Modification
Query
// CAP Exludes
AuditLogs
| where OperationName in ("Update conditional access policy", "Create conditional access policy")
| where Result == "success"
| mv-expand TargetResource = TargetResources
| mv-expand ModifiedProperty = TargetResource.modifiedProperties
| where ModifiedProperty.displayName == "PolicyDetail"
| extend OldPolicy = todynamic(tostring(ModifiedProperty.oldValue))
| extend NewPolicy = todynamic(tostring(ModifiedProperty.newValue))
// Extract Excludes
| extend OldExclusions = OldPolicy.conditions.users.excludeGroups
| extend NewExclusions = NewPolicy.conditions.users.excludeGroups
| extend OldExcludedUsers = OldPolicy.conditions.users.excludeUsers
| extend NewExcludedUsers = NewPolicy.conditions.users.excludeUsers
// check for added Excludes
| where array_length(NewExclusions) > array_length(OldExclusions)
or array_length(NewExcludedUsers) > array_length(OldExcludedUsers)
| project TimeGenerated, InitiatedBy = Identity, PolicyName = TargetResource.displayName, OldExclusions, NewExclusions, OldExcludedUsers, NewExcludedUsersAbout this query
Microsoft Entra Conditional Access Policy Exclusion Modification
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1556.009 | Modify Authentication Process: Conditional Access Policies | https://attack.mitre.org/techniques/T1556/009/ |
| T1484 | Domain or Tenant Policy Modification | https://attack.mitre.org/techniques/T1484 |
Description
This rule detects modifications to Microsoft Entra ID Conditional Access policies where users or groups are added to the exclusion list. Such modifications can be used by adversaries to bypass security controls and facilitate persistence or lateral movement by ensuring specific accounts or groups are not subject to MFA or other authentication requirements.
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
Defender XDR
Explanation
This query is designed to detect changes made to Microsoft Entra ID Conditional Access policies, specifically focusing on instances where users or groups are added to the exclusion list. Such modifications can potentially be exploited by attackers to bypass security measures like Multi-Factor Authentication (MFA), allowing them to maintain access or move laterally within a network without triggering security alerts.
Here's a simplified breakdown of what the query does:
-
Data Source: It examines audit logs for operations related to updating or creating conditional access policies.
-
Success Filter: It filters these logs to only include successful operations.
-
Policy Details: The query expands the details of the target resources and their modified properties to focus on changes made to the "PolicyDetail".
-
Old vs. New Policy: It extracts and compares the old and new policy details, specifically looking at the lists of excluded groups and users.
-
Detect Changes: The query checks if there are more exclusions (either groups or users) in the new policy compared to the old one.
-
Output: If additional exclusions are detected, it outputs relevant information such as the time of the change, who initiated it, the policy name, and the details of the old and new exclusions.
This helps security teams identify potentially suspicious modifications to conditional access policies that could indicate an attempt to weaken security controls.
Details

Benjamin Zulliger
Released: July 12, 2026
Tables
Keywords
Operators