Missing alerting policy for when RBAC permissions are changed in M365 Compliance portal.

Occasional Contributor

Currently when Exchange Online role groups (RBAC) permissions are changed an alert is generated using the built-in M365 alert policy. However there is no equivalent for when RBAC permissions are changed for the Compliance portal.

 

EDIT: The M365 audit logs actually do show these changes where the Activity is "Set-RoleGroup" and the workload is tagged as "SecurityComplianceCenter". This seems to be new as 2 weeks ago this activity was not shown. It seems work is being done behind the scenes to make this more visible. However when will we also see an Alert policy for this? It would be nice if this also could be picked up by Azure Sentinel. It would lead to a complete lockdown of permissions to avoid that a privilege escalation attack goes unnoticed on the Compliance portal RBAC system.

0 Replies