Is there a way I can make Azure Monitor alert an administrator when an application registration’s API permission is edited?
Create a Log analytics for exporting logs from Azure AD
Create a Diagnostic setting by navigating Azure Entra ID > Diagnostic settings > Add diagnostic setting
Once the Diagnostic settings are added, wait for some time for the logs to sync to the Log Analytics Workspace , and then execute the KQL query below to fetch logs if an application’s API permissions have been modified.
AuditLogs
| where Category == "ApplicationManagement"
| where OperationName in ("Consent to application", "Add app role assignment to service principal", "Remove app role assignment from service principal")
KQL Query Result:
You can follow the Stack link answered by me to create an action group for triggering an email.
Once you create an alert, you will receive a email notification to your email id if an Azure AD application’s API permission is edited.
Question posted in 
2
Answers
I think you can do this either by checking AD audit logs (but that may be more tedious and possibly doesn’t catch every condition you’re looking for):
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3/#azure-monitor-alert
Or you could enable "Activity Logging", and for instance create a Log Analytics Workspace in Azure Monitor and build KQL queries for your use case.
There’s all sort of clever stuff you can do with those activity logs:
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell
I hope this helps, I’ve never implemented this myself though ..
Log analyticsfor exporting logs fromAzure ADDiagnostic settingby navigatingAzure Entra ID > Diagnostic settings > Add diagnostic settingLog Analytics Workspace, and then execute the KQL query below to fetch logs if an application’s API permissions have been modified.KQL Query Result:
You can follow the Stack link answered by
meto create an action group for triggering an email.Once you create an alert, you will receive a email notification to your email id if an
Azure ADapplication’s API permission is edited.