alexmags/SharePointAdminCentreMakesCAPolicies.kql

## SharePointAdminCentreMakesCAPolicies.kql
// KQL because SharePoint Admin centre can make surprise new Conditional Access policies when you configure tenant level settings.
// Look for SharePoint ID and brackets in display name
// Create a notification action on AAD audit logs when this happens. https://blog.alexmags.com/tags/kql/
AuditLogs
  | where  Category == "Policy" and (Identity  == 'Office 365 SharePoint Online' or TargetResources[0].displayName contains '[')
  | project TimeGenerated, OperationName, TargetResources[0].displayName,Identity,InitiatedBy.user.userPrincipalName
	// KQL because SharePoint Admin centre can make surprise new Conditional Access policies when you configure tenant level settings.
	// Look for SharePoint ID and brackets in display name
	// Create a notification action on AAD audit logs when this happens. https://blog.alexmags.com/tags/kql/
	AuditLogs
	\| where Category == "Policy" and (Identity == 'Office 365 SharePoint Online' or TargetResources[0].displayName contains '[')
	\| project TimeGenerated, OperationName, TargetResources[0].displayName,Identity,InitiatedBy.user.userPrincipalName