This rule identifies modifications made to Azure Conditional Access policies, which are essential for maintaining secure access controls to resources within Azure environments. A Conditional Access policy allows administrators to enforce specific conditions under which users can access resources, such as requiring multi-factor authentication (MFA). If an adversary gains the ability to modify these policies, they may weaken security measures potentially allowing unauthorized access. This rule analyzes logs for successful modification events related to Conditional Access policies. It utilizes Azure audit logs to track actions specifically when the "Update conditional access policy" event occurs and checks the outcome to ensure it was successful. A detailed investigation guide is also supplied, suggesting steps for correlating logged activities and confirming the legitimacy of the changes, alongside strategies to address potential false positives that might arise from routine administrative tasks. The severity is classified as medium with a risk score of 47, indicating a need for vigilant monitoring and quick response capabilities when alerts are triggered.