What Changed
Multiple Microsoft Entra ID Conditional Access detection rules updated from version 1.0.0 to 1.0.1, standardizing lookbackDuration format from “1h” to “PT1H” (ISO 8601 duration format).
Detection Logic
KQL logic unavailable — YAML not included in diff context.
Security Impact (Visibility & Fidelity)
The incorrect lookbackDuration format (“1h” instead of “PT1H”) prevented these Conditional Access detection rules from being deployed or saved in Microsoft Sentinel. Deployments attempting to use these rules experienced complete deployment failures for Conditional Access monitoring — this represents a critical detection blind spot for identity governance and access policy changes.
Affected Files
Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access Device platforms condition has changed.yaml
Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access app exclusion has changed.yaml
Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was deleted.yaml
Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was disabled.yaml
Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was put into report-only mode.yaml
Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access policy was updated.yaml
Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A Conditional Access usergrouprole exclusion has changed.yaml
Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - A new Conditional Access policy was created.yaml
Solutions/Microsoft Entra ID/Analytic Rules/Conditional Access - Dynamic Group Exclusion Changes.yaml
(packaging artefacts updated: mainTemplate.json, Package/*.zip)