Notify on Conditional Access Policy Changes Crate
Last updated
Was this helpful?
Last updated
Was this helpful?
This Crate monitors Microsoft 365 Conditional Access Policy changes and generates notifications via ticket creation and email alerts. It leverages OpenAI to provide a clearer, human-readable summary of policy modifications.
Get notified about unauthorized Conditional Access policy changes.
Ensure security policies are consistently reviewed and modified only by authorized personnel.
Streamline incident response by automatically creating tickets or sending email notifications for policy changes.
Before unpacking this Crate:
The Microsoft Cloud integration must be set up in Rewst
Have Access to Conditional Access Policies via Microsoft Graph API
Set up email configuration for notifications, if using email alerts
Your PSA integration must be configured, if using ticket notifications
Navigate to Crates > Crate Marketplace in the left side menu of the Rewst platform.
Click on the Crate tile to open its details page.
Click Unpack Crate.
Click Continue.
Customize settings for
Sending an email, including who to send the reports to
Creating a PSA Ticket
Choose to use OpenAI
By default, the cron job trigger will be enabled. If desired, open the Cron Job accordion menu under Configure Triggers and disable or change these settings.
Enter your Time Saved (seconds).
Click Unpack.
This Crate can be triggered in two ways.
The Cron Trigger schedules periodic checks for Conditional Access policy changes.
Configured using UTC cron expressions (default: /42 * * * *).
Monitors Microsoft Entra ID audit logs
Fires when a Conditional Access policy is modified
Checks for events where:
trigger.loggedByService == "Conditional Access"
trigger.targetResources.0.type == "Policy"
The OpenAI integration can be used for enhanced notifications by analyzing policy changes and summarizing them in a clear, human-readable format. This helps administrators quickly understand:
What changes were made.
Who initiated the changes.
Whether the changes introduce potential security risks.
Recommendations on whether further investigation is needed.
When OpenAI is enabled โ vars.use_openai = "yes" โ notifications will include AI-generated insights to provide contextual explanations of the modifications.
Each notification, whether email or ticket, includes:
Policy Name โ The name of the modified Conditional Access policy.
Change Type โ Whether the policy was added, removed, or updated.
Modified By โ The identity of the user or system that made the change.
Timestamp โ When the change was detected.
Summary of Changes โ A structured breakdown of what was altered in the policy.
OpenAI Analysis, if enabled โ AI-generated interpretation of the change's impact.
CTX variables hold dynamic, user-specific data used though out this automation and can be configured on the cron trigger, and the New Directory Audit Log - Policy Trigger.
vars.actions
Array
Defines notification method (ticket, email, chat).
vars.use_openai
String
Enables OpenAI for policy change summaries.
vars.org_var_name
String
Organization variable override.
vars.email_recipient_string
String
Comma-separated list of email recipients.
To verify that the Crate functions as expected:
Trigger a policy change
Manually modify a Conditional Access Policy in Microsoft 365.
Ensure a relevant event appears in the audit logs.
Check the trigger execution
Navigate to Automations > Results in Rewst.
Locate the workflow execution logs for this Crate.
Ensure that the workflow detects the policy change.
Verify notifications
If configured for email alerts, check the recipient inbox.
If configured for ticket creation, locate the new ticket in your PSA system.
Search for Notify on Conditional Access Policy Changes.
Got an idea for a new Crate? Rewst is constantly adding new Crates to our Crate Marketplace. Submit your idea or upvote existing ideas here in our .
