Skip to content

Azvise

Notes on Microsoft stuff ☁️

  • Home
  • Articles
  • Security
  • Passwordless
  • About
  • Speaking
March 1, 2022February 9, 2023 Azvise

Receive an alert on user login – Azure AD

General introduction

Since the best practice in Azure AD is to configure Break-glass administrators to be excluded from a lot of conditional access policies, you probably want to receive an alert if this user logs into the tenant. This admin should not be used for day to day operations, and the authentication methods should be really strong.

How to guide

For this procedure, you’ll need Azure AD Premium P1 or P2.

To receive an alert on a user login you’ll need to export sign-in logs to a Log Analytics workspace, then set up the triggers. We’ll go over the steps in this guide:

  • Open the Log Analytics page
  • Click on “Create“.
  • Select the subscription, resource group and choose a name and region for the LAW instance.
  • Click on “Review + Create”, then on “Create”.
  • Go to Diagnostics Settings | Azure AD
  • Click on “Add diagnostic setting”.
  • Select “SignInLogs” and “Send to Log Analytics workspace”.
  • Select the Log workspace you just created.
  • Give the diagnostic setting a name.
  • Click “Save”.
  • Go to AAD | All Users
  • Click on the user you want to get alerts for, and copy the User Principal Name.
  • Open your Log Analytics workspace.
  • Go to “Alerts”, then “+ Create”, “Alert rule”.
  • Under “Condition“, select “Add”.
  • Select “Custom log search”.
  • In the text box, insert the following code, personalizing it for your UPN:
SigninLogs
| project UserPrincipalName 
| where UserPrincipalName == "demo@azdemoenv.onmicrosoft.com"
  • Under “Alert logic”, select “Operator” Greater than 0, with “Frequency of evaluation” 5 minutes.
  • If you want to get alerts as soon as possible, set the frequency of evaluation to 1 minute.
  • Click on “Next”.
  • Create an Action Group, or select your existing one.
  • To create one, click on “Add action groups”, select the subscription, resource group, and give the Action Group a name and display name.
  • Select the type of notification you want to get. In my example, I’ve selected an email and SMS.
  • Click “Ok”, and give the notification a name.
  • Click on “Review + create”, you will have the chance to test it out before pushing it in production.
  • Once you are happy with your rule, click “Create”.

If your tenant is not big, this alert will only cost a couple of bucks. However the bigger cost may come from storing all the sign-in logs. If the logs are under 5 GB, there will not be any charge, if it goes up from there you’ll have to pay for storage fees:

Azure Monitor Pricing

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to print (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to email a link to a friend (Opens in new window)
Posted in Azure & Azure AD, SecurityTagged administration, alert, Azure & Azure AD, Break-glass, log, login, microsoft, Notification, Security

Post navigation

Previous PostApple Mail not working after disabling Legacy Authentication – Exchange OnlineNext PostOutlook requires app password for connecting to Exchange Online




Whoami
Welcome to my blog, I’m Pietro, a Security Architect focusing on Microsoft technologies. I'm passionate about Security, Identity, Azure, and F1. I'm sometimes playing around with Intune stuff.
I hope you'll save a bit of time and learn something new from my articles. Enjoy!

  • Security
  • Azure & Azure AD
  • Exchange Online
  • Office 365
  • Powershell
  • Other
Tweets by azvise
  • Twitter
  • LinkedIn
Do you speak Italian and want to discuss security topics? Join the Microsoft Security Italian User Group!
Create a website or blog at WordPress.com
  • Follow Following
    • Azvise
    • Already have a WordPress.com account? Log in now.
    • Azvise
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • View post in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...