Account should have a configured activity log alert for deleting policy assignments Create an activity log alert for the Delete Policy Assignment event.
By monitoring delete policy assignment events, you gain insight into changes in the Policy - Assignments page and reduce the time it takes to detect unsolicited changes.
Navigate to Monitor . Select Alerts . Click On New Alert Rule . Under Scope , click Select resource . Select the appropriate subscription under Filter by subscription . Select Policy Assignment under Filter by resource type . Select All for Filter by location . Click on the subscription from the entries populated under Resource . Verify that Selection preview shows All Policy assignments (policyAssignments) and your selected subscription name. Click Done . Under Condition , click Add Condition . Select Delete policy assignment signal . Click Done . Under Action group , select Add action groups and either complete the creation process or select the appropriate action group. Under Alert rule details , enter Alert rule name and Description . Select the appropriate resource group to save the alert to. Click on the Enable alert rule upon creation checkbox. Click Create alert rule . az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json"
https://management.azure.com/subscriptions/$0/resourceGroups/<Resource_Group_To_Create_Alert_In>/providers/microsoft.insights/activityLogAlerts/<Unique_Alert_Name>?api-version=2017-04-01 -d@"input.json"
Where input.json contains the request body JSON data below:
{
"location" : "Global" ,
"tags" : {},
"properties" : {
"scopes" : [
"/subscriptions/<Subscription_ID>"
],
"enabled" : true ,
"condition" : {
"allOf" : [{
"containsAny" : null ,
"equals" : "Administrative" ,
"field" : "category"
},
{
"containsAny" : null ,
"equals" : "Microsoft.Authorization/policyAssignments/delete" ,
"field" : "operationName"
}
]
},
"actions" : {
"actionGroups" : [{
"actionGroupId" : "/subscriptions/<Subscription_ID>/resourceGroups/<Resource_Group_For_Alert_Group>/providers/microsoft.insights/actionGroups/<Alert_Group>" ,
"webhookProperties" : null
}]
}
}
}
Copy
Configurable Parameters for command line:
<Resource_Group_To_Create_Alert_In><Unique_Alert_Name>Configurable Parameters for input.json:
<Subscription_ID> in scopes<Subscription_ID> in actionGroupId<Resource_Group_For_Alert_Group> in actionGroupId<Alert_Group> in actionGroupIdUsing PowerShell AZ cmdlets :
$ComplianceName = 'Delete Policy Assignment'
$Signal = 'Microsoft.Authorization/policyAssignments/delete'
$Category = 'Administrative'
$ResourceGroupName = 'MyResourceGroup'
$actiongroup = ( Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName )
$ActionGroupId = ( New-Object Microsoft . Azure . Management . Monitor . Models . ActivityLogAlertActionGroup $ActionGroup . Id )
$Subscription = ( Get-AzContext ). Subscription
$location = 'Global'
$scope = "/subscriptions/ $( $Subscription . Id ) "
$alertName = " $( $Subscription . Name ) - $( $ComplianceName ) "
$conditions = @ (
New-AzActivityLogAlertCondition -Field 'category' -Equal $Category
New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal
)
Set-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions
https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources https://azure.microsoft.com/en-us/services/blueprints/ This log alert also applies for Azure Blueprints. 
