Skip to content

Azvise

Notes on Microsoft stuff

  • HOME
  • Articles
  • About
  • Disclaimer

Receive an alert on a user login – Azure AD

Since the best practice in Azure AD is to configure a Break-glass administrator excluded from conditional access policies, you’ll want to receive an alert if this user logs into the tenant. Usually, this admin should not be used for day to day operations, and the password should be complex.

For this procedure, you’ll need Azure AD Premium P1 or P2.

To receive an alert on a user login:

  • Open the Log Analytics page
  • Click on “Create“.
  • Select the subscription, resource group and choose a name and region for the LAW instance.
  • Click on “Review + Create”, then on “Create”.
  • Go to Diagnostics Settings | Azure AD
  • Click on “Add diagnostic setting”.
  • Select “SignInLogs” and “Send to Log Analytics workspace”.
  • Select the Log workspace you just created.
  • Give the diagnostic setting a name.
  • Click “Save”.
  • Go to AAD | All Users
  • Click on the user you want to get alerts for, and copy the User Principal Name.
  • Open your Log Analytics workspace.
  • Go to “Alerts”, then “+ Create”, “Alert rule”.
  • Under “Condition“, select “Add”.
  • Select “Custom log search”.
  • In the text box, insert the following code, personalizing it for your UPN:
SigninLogs
| project UserPrincipalName 
| where UserPrincipalName == "demo@azdemoenv.onmicrosoft.com"
  • Under “Alert logic”, select “Operator” Greater than 0, with “Frequency of evaluation” 5 minutes.
  • If you want to get alerts as soon as possible, set the frequency of evaluation to 1 minute.
  • Click on “Next”.
  • Create an Action Group, or select your existing one.
  • To create one, click on “Add action groups”, select the subscription, resource group, and give the Action Group a name and display name.
  • Select the type of notification you want to get. In my example, I’ve selected an email and SMS.
  • Click “Ok”, and give the notification a name.
  • Click on “Review + create”, you will have the chance to test it out before pushing it in production.
  • Once you are happy with your rule, click “Create”.

If your tenant is not big, this alert will only cost a couple of bucks. However, if the logs get bigger than 5GB, standard rates for Log Analytics will apply.

Share this:

  • Twitter
  • Print
  • LinkedIn
  • Email

Related

Posted on March 1, 2022March 14, 2022 by AzvisePosted in Azure & Azure AD, SecurityTagged administration, alert, Azure & Azure AD, Break-glass, log, login, microsoft, Notification, Security.

Post navigation

Previous Previous post: Apple Mail not working after disabling Legacy Authentication – Exchange Online
Next Next post: Outlook requires app password for connecting to Exchange Online
  • Security
  • Azure & Azure AD
  • Exchange Online
  • Office 365
  • Powershell
  • Other

Latest retweets

My Tweets
Create a website or blog at WordPress.com
  • Follow Following
    • Azvise
    • Already have a WordPress.com account? Log in now.
    • Azvise
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • View post in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...