How to create Azure Monitor Alerts based on policy definitions?

  1. First of all, you need to have Log Analytics Workspace with logs from Activity log:

    More info:

  2. Please go to Monitor.
  3. Go to Tab Alerts (You can go to directly to this link:
  4. Press New alert rule
  5. Press Resource
  6. Select subscription and Log Analytics that have like here:



  7. To use custom queries, you should be able to see here something like this:

  8. Choose:

  9. Select
  10. Type a query e.g.: AzureActivity| where TimeGenerated > ago(60d) and OperationNameValue starts with “Microsoft.Authorization/roleDefinitions/write”
  11. Configure e.g. Number of results greater than 0. Period and Frequency.
  12. Create action groups – who should receive alerts.
  13. Specify Subject line and Alert rule name
  14. Save Alert

References 1:

References 2: