diff --git a/test/functional/apps/management/_create_index_pattern_wizard.js b/test/functional/apps/management/_create_index_pattern_wizard.js
index 8b11a02099f61..90838ecc1f6fb 100644
--- a/test/functional/apps/management/_create_index_pattern_wizard.js
+++ b/test/functional/apps/management/_create_index_pattern_wizard.js
@@ -24,6 +24,7 @@ export default function ({ getService, getPageObjects }) {
   const testSubjects = getService('testSubjects');
   const es = getService('legacyEs');
   const PageObjects = getPageObjects(['settings', 'common']);
+  const security = getService('security');
 
   describe('"Create Index Pattern" wizard', function () {
     before(async function () {
@@ -51,6 +52,9 @@ export default function ({ getService, getPageObjects }) {
     });
 
     describe('index alias', () => {
+      before(async function () {
+        await security.testUser.setRoles(['kibana_admin', 'test_alias1_reader']);
+      });
       it('can be an index pattern', async () => {
         await es.transport.request({
           path: '/blogs/_doc',
@@ -77,6 +81,7 @@ export default function ({ getService, getPageObjects }) {
           path: '/blogs',
           method: 'DELETE',
         });
+        await security.testUser.restoreDefaults();
       });
     });
   });
diff --git a/test/functional/config.js b/test/functional/config.js
index 6081810d41272..e465937aff0e5 100644
--- a/test/functional/config.js
+++ b/test/functional/config.js
@@ -288,6 +288,18 @@ export default async function ({ readConfigFile }) {
           },
           kibana: [],
         },
+
+        test_alias1_reader: {
+          elasticsearch: {
+            cluster: [],
+            indices: [
+              {
+                names: ['alias1'],
+                privileges: ['read', 'view_index_metadata'],
+              },
+            ],
+          },
+        },
       },
       defaultRoles: ['test_logstash_reader', 'kibana_admin'],
     },
diff --git a/x-pack/plugins/ingest_manager/server/services/agent_policy_update.ts b/x-pack/plugins/ingest_manager/server/services/agent_policy_update.ts
index 4ddb3cfb6a6a5..fe06de765bbff 100644
--- a/x-pack/plugins/ingest_manager/server/services/agent_policy_update.ts
+++ b/x-pack/plugins/ingest_manager/server/services/agent_policy_update.ts
@@ -6,8 +6,7 @@
 
 import { KibanaRequest, SavedObjectsClientContract } from 'src/core/server';
 import { generateEnrollmentAPIKey, deleteEnrollmentApiKeyForAgentPolicyId } from './api_keys';
-import { unenrollForAgentPolicyId } from './agents';
-import { outputService } from './output';
+import { isAgentsSetup, unenrollForAgentPolicyId } from './agents';
 import { agentPolicyService } from './agent_policy';
 import { appContextService } from './app_context';
 
@@ -31,11 +30,8 @@ export async function agentPolicyUpdateEventHandler(
   action: string,
   agentPolicyId: string
 ) {
-  const adminUser = await outputService.getAdminUser(soClient);
-  const outputId = await outputService.getDefaultOutputId(soClient);
-
-  // If no admin user and no default output fleet is not enabled just skip this hook
-  if (!adminUser || !outputId) {
+  // If Agents are not setup skip this hook
+  if (!(await isAgentsSetup(soClient))) {
     return;
   }
 
diff --git a/x-pack/plugins/ingest_manager/server/services/agents/index.ts b/x-pack/plugins/ingest_manager/server/services/agents/index.ts
index c878b666bde88..0800a04fb1b3b 100644
--- a/x-pack/plugins/ingest_manager/server/services/agents/index.ts
+++ b/x-pack/plugins/ingest_manager/server/services/agents/index.ts
@@ -16,3 +16,4 @@ export * from './update';
 export * from './actions';
 export * from './reassign';
 export * from './authenticate';
+export * from './setup';
diff --git a/x-pack/plugins/ingest_manager/server/services/agents/setup.ts b/x-pack/plugins/ingest_manager/server/services/agents/setup.ts
new file mode 100644
index 0000000000000..1393e732e89d1
--- /dev/null
+++ b/x-pack/plugins/ingest_manager/server/services/agents/setup.ts
@@ -0,0 +1,48 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { SavedObjectsClientContract } from 'src/core/server';
+import { SO_SEARCH_LIMIT } from '../../constants';
+import { agentPolicyService } from '../agent_policy';
+import { outputService } from '../output';
+import { getLatestConfigChangeAction } from './actions';
+
+export async function isAgentsSetup(soClient: SavedObjectsClientContract): Promise<boolean> {
+  const adminUser = await outputService.getAdminUser(soClient, false);
+  const outputId = await outputService.getDefaultOutputId(soClient);
+  // If admin user (fleet_enroll) and output id exist Agents are correctly setup
+  return adminUser && outputId ? true : false;
+}
+
+/**
+ * During the migration from 7.9 to 7.10 we introduce a new agent action POLICY_CHANGE per policy
+ * this function ensure that action exist for each policy
+ *
+ * @param soClient
+ */
+export async function ensureAgentActionPolicyChangeExists(soClient: SavedObjectsClientContract) {
+  // If Agents are not setup skip
+  if (!(await isAgentsSetup(soClient))) {
+    return;
+  }
+
+  const { items: agentPolicies } = await agentPolicyService.list(soClient, {
+    perPage: SO_SEARCH_LIMIT,
+  });
+
+  await Promise.all(
+    agentPolicies.map(async (agentPolicy) => {
+      const policyChangeActionExist = !!(await getLatestConfigChangeAction(
+        soClient,
+        agentPolicy.id
+      ));
+
+      if (!policyChangeActionExist) {
+        return agentPolicyService.createFleetPolicyChangeAction(soClient, agentPolicy.id);
+      }
+    })
+  );
+}
diff --git a/x-pack/plugins/ingest_manager/server/services/output.ts b/x-pack/plugins/ingest_manager/server/services/output.ts
index f780bd95faedc..0e3b652422faa 100644
--- a/x-pack/plugins/ingest_manager/server/services/output.ts
+++ b/x-pack/plugins/ingest_manager/server/services/output.ts
@@ -65,8 +65,8 @@ class OutputService {
     return outputs.saved_objects[0].id;
   }
 
-  public async getAdminUser(soClient: SavedObjectsClientContract) {
-    if (cachedAdminUser) {
+  public async getAdminUser(soClient: SavedObjectsClientContract, useCache = true) {
+    if (useCache && cachedAdminUser) {
       return cachedAdminUser;
     }
 
diff --git a/x-pack/plugins/ingest_manager/server/services/setup.ts b/x-pack/plugins/ingest_manager/server/services/setup.ts
index c7ecf843d6a51..7f379d3ea4f13 100644
--- a/x-pack/plugins/ingest_manager/server/services/setup.ts
+++ b/x-pack/plugins/ingest_manager/server/services/setup.ts
@@ -29,6 +29,7 @@ import { generateEnrollmentAPIKey } from './api_keys';
 import { settingsService } from '.';
 import { awaitIfPending } from './setup_utils';
 import { createDefaultSettings } from './settings';
+import { ensureAgentActionPolicyChangeExists } from './agents';
 
 const FLEET_ENROLL_USERNAME = 'fleet_enroll';
 const FLEET_ENROLL_ROLE = 'fleet_enroll';
@@ -80,6 +81,7 @@ async function createSetupSideEffects(
   ) {
     throw new Error('Policy not found');
   }
+
   for (const installedPackage of installedPackages) {
     const packageShouldBeInstalled = DEFAULT_AGENT_POLICIES_PACKAGES.some(
       (packageName) => installedPackage.name === packageName
@@ -105,6 +107,8 @@ async function createSetupSideEffects(
     }
   }
 
+  await ensureAgentActionPolicyChangeExists(soClient);
+
   return { isIntialized: true };
 }