M365DSC: Monitor Conditional Access Policy Configuration Drift with Microsoft Sentinel

We are back on our Microsoft 365 DSC discovery, and today we will learn how to use the solution to monitor Conditional Access policy modifications and generate alerts with Microsoft Sentinel.

Microsoft Entra ID Conditional Access is a solution allowing the enforcement of policies based on different signals such as location or device type to the Microsoft 365 cloud applications. It is a core solution to protect and govern your identity perimeter and therefor we should monitor policy changes - what if these changes were malicious and allow unauthorised access?

We will be using a few tools for this setup:

• Azure Arc Enabled VM

• Azure Monitor Agent

• Microsoft Sentinel

• and of course Microsoft 365 DSC PowerShell module

For this tutorial, we will be using the Azure Monitor Agent (AMA) instead of the Log Analytics agent due to its retirement next year (August 2024)

The VM is a Hyper-V Windows 10 running in my local environment not joined to Entra ID or ADDS (only workgroup).

Because of the AMA requirements, we will enable the VM to Azure using Azure Arc and then deployed the Azure Monitor Agent extension.

Table of Contents

1- Onboard Azure Arc

2- Deploy AMA extension

3- Prepare the VM

4- Configure the Azure Monitor DCR rules

5- Create Sentinel Analytic Rule

6- Test the alert

7- Conclusion

Onboard Azure Arc

The Azure Arc onboarding is straight forward:

1- Navigate to the Azure Arc portal

2- click Add/Create and choose Add a machine

3- Select Add a single server and press Generate a script

4- Fill the Resource details as required

5- Copy the script and run it on your VM

6- Log in with your admin account and fulfil the MFA challenge

7- Wait until the script complete

Your machine is now available in the Azure Arc portal

Deploy AMA extension

To install the Azure Monitor Agent (AMA) extension:

1- Select the machine in the Azure Arc portal

2- Navigate to Extension

3- Click Add

4- Select Azure Monitor Agent for Windows (Recommended) and click Next and Create

5- After a short while the extension deployment status should be succeeded

Prepare the VM

It is time now to prepare the VM:

1- Install the Microsoft 365 DSC module

2- Update all the dependent modules

3- Export the Entra ID Conditional Access policies

4- Configure the DSC LCM

5- Start the Configuration

Open PowerShell as Administrator and run the following script:

# 1- Install the Microsoft 365 DSC module
Install-Module Microsoft365DSC -Confirm:$false

# 2- Update all the dependent modules
Update-M365DSCDependencies
$ProgressPreference = 'SilentlyContinue'

# 3- Export the Entra ID Conditional Access policies
$params = @{
    #Credential           = $Credential
    ApplicationId         = "MyServicePrincipalId"
    TenantId              = "mydomain.onmicrosoft.com"
    CertificateThumbprint = "MyThunmbprint"
    #ApplicationSecret    = $ApplicationSecret
}

$resourcePath = "C:\DevOps\M365DSC\Export\AADConditionalAccess"
Export-M365DSCConfiguration `
    -Components @("AADNamedLocationPolicy","AADConditionalAccessPolicy","AADAuthenticationStrengthPolicy") `
    -Path $resourcePath `
    -CertificateThumbprint  $params.CertificateThumbprint `
    -TenantId  $params.TenantId `
    -ApplicationId $params.ApplicationId

# 4- Configure the DSC LCM
$LCMConfigPath = 'C:\M365DSC\LCM'
if (-not (Test-Path -Path $LCMConfigPath))
{
    New-Item -ItemType Directory -Path $LCMConfigPath -Force
}

$LCMConfig = @'
[DSCLocalConfigurationManager()]
configuration LCMConfig
{
    Node localhost
    {
        Settings
        {
            RefreshMode = 'Push'
            ConfigurationMode = 'ApplyAndMonitor'
            ConfigurationModeFrequencyMins = 15
        }
    }
}
LCMConfig
'@
$LCMConfig |Out-File "$LCMConfigPath\LCMConfig.ps1"
cd $LCMConfigPath
.\LCMConfig.ps1
Set-DscLocalConfigurationManager -Path "$LCMConfigPath\LCMConfig" -Force

# 5- Start the Configuration
cd $resourcePath
.\M365TenantConfig.ps1
Start-DscConfiguration -Wait -Force -Verbose -Path M365TenantConfig

Configure the Azure Monitor DCR rules

If you have a look at the Event Viewer, you will find a log called M365DSC. This log reports a warning for any configuration drift detected by DSC. We will export this event to Azure Monitor by creating a Data Collection Rule (DCR) as followed:

1- Navigate to the Log Analytic workspace used by Sentinel

2- Go to Agent and press Data Collection Rule and then Create data collection rule

3- Fill the basic info

4- In the Resources page press Add resources and select your VM or Resource Group

5- In the Collect and Deliver page:

a- Press the Add data source button

b- Data source type: Windows Event Logs

c- Choose Custom

d- Add the following XPath query: M365DSC!*[System[(Level=3) and (EventID=1)]]

e- In the Destination tab, Add a destination for Azure Monitor log and your log analytics workspace

f- Finally press Add data source and press Review+create

Create Sentinel Analytic Rule

The last step of the setup is to create the Microsoft Sentinel alert using an Near Real Time (NRT) analytic rule.

1- Navigate to Sentinel and select your Log Analytic workspace

2- Under configuration select Analytics and Create NRT query rule (Preview)

3- In the Set rule logic page:

a - Use the following rule analytic:

Event
| where Source == "MSFT_AADConditionalAccessPolicy"
| extend configurationDriftXML = (parse_xml(EventData)).DataItem.EventData.Data
| extend driftRawData = parse_xml(strcat("<?xml version=\"1.0\" encoding=\"UTF-8\"?>", tostring(configurationDriftXML)))
| extend parsedDriftData = driftRawData.M365DSCEvent
| extend policyName = parsedDriftData.DesiredValues.Param[0]["#text"]
| extend parameterDriftName = parsedDriftData.ConfigurationDrift.ParametersNotInDesiredState.Param["@Name"]
| extend parameterDriftCurrentValue = parsedDriftData.ConfigurationDrift.ParametersNotInDesiredState.Param["CurrentValue"]
| extend parameterDriftDesiredValue = parsedDriftData.ConfigurationDrift.ParametersNotInDesiredState.Param["DesiredValue"]

This query will retrieve the event and parse the result to retrieve the detection information.

b- Add the custom details (Refer to the below picture):

- PolicyName

- DriftParameter

- CurrentValue

- DesiredValue

c- Configure your Alert details as required

4- In the Incident settings page: configurate the incident and grouping alert as show in the picture below

5- For this tutorial, we will keep it simple and leave the Automated response as default

Test the alert

To test the alert we can simply disable or modify a Conditional Access policy and verify the alert in Sentinel Incident page

Conclusion

In this blog, we've learn how to integrate M365DSC with Sentinel to monitor Conditional Access however the same setup can be implemented with any policy supported by M365DSC across Entra, Purview, Teams and Sharepoint,... .

This is a prelude of managing your Microsoft 365 environment adopting the Configuration-As-Code approach and I shall demonstrate in my next blog how to provision this VM using Azure DevOps and automate the process using a CI/CD pipeline.

Keep posted!

About William Francillette:

I am a Microsoft Solutions Architect specialized in Microsoft 365, Entra and Azure security products at Threatscape.

I love learning, blogging and coding. My interests are very diverse from architecture, security, cloud engineering, automation, DevOps and PowerShell.

I own over a dozen Microsoft certifications and have worked in IT across multiple and diverse industries for over 15 years now.