General introduction
Since the best practice in Azure AD is to configure Break-glass administrators to be excluded from a lot of conditional access policies, you probably want to receive an alert if this user logs into the tenant. This admin should not be used for day to day operations, and the authentication methods should be really strong.
How to guide
For this procedure, you’ll need Azure AD Premium P1 or P2.
To receive an alert on a user login you’ll need to export sign-in logs to a Log Analytics workspace, then set up the triggers. We’ll go over the steps in this guide:
- Open the Log Analytics page
- Click on “Create“.
- Select the subscription, resource group and choose a name and region for the LAW instance.
- Click on “Review + Create”, then on “Create”.
- Go to Diagnostics Settings | Azure AD
- Click on “Add diagnostic setting”.
- Select “SignInLogs” and “Send to Log Analytics workspace”.
- Select the Log workspace you just created.
- Give the diagnostic setting a name.
- Click “Save”.
- Go to AAD | All Users
- Click on the user you want to get alerts for, and copy the User Principal Name.
- Open your Log Analytics workspace.
- Go to “Alerts”, then “+ Create”, “Alert rule”.
- Under “Condition“, select “Add”.
- Select “Custom log search”.
- In the text box, insert the following code, personalizing it for your UPN:
SigninLogs
| project UserPrincipalName
| where UserPrincipalName == "demo@azdemoenv.onmicrosoft.com"
- Under “Alert logic”, select “Operator” Greater than 0, with “Frequency of evaluation” 5 minutes.
- If you want to get alerts as soon as possible, set the frequency of evaluation to 1 minute.
- Click on “Next”.
- Create an Action Group, or select your existing one.
- To create one, click on “Add action groups”, select the subscription, resource group, and give the Action Group a name and display name.
- Select the type of notification you want to get. In my example, I’ve selected an email and SMS.
- Click “Ok”, and give the notification a name.
- Click on “Review + create”, you will have the chance to test it out before pushing it in production.
- Once you are happy with your rule, click “Create”.
If your tenant is not big, this alert will only cost a couple of bucks. However the bigger cost may come from storing all the sign-in logs. If the logs are under 5 GB, there will not be any charge, if it goes up from there you’ll have to pay for storage fees:
Azvise 