Set alert for Microsoft 365 Global Admin password reset

Question

Set alert for Microsoft 365 Global Admin password reset

Cloud_Geek_82 901

Hi Guys,

Is it possible to set an alert that would send an email every time Microsoft 365 Global Admin password is changed?

Thanks in advance.

0 comments

Answer accepted by question author

4 additional answers

Your answer

Answer 1

Hey,

I set up an alert for password changes doing the following steps:

Open log analytics

User's image

run the query to ensure you see results.

User's image

once confirmed the query is ok and returning events. click "new alert rule"

User's image

you can leave the conditions as they are. The query should already be in the box.
go to actions and create an action group.

User's image

Set the action group name and display name.
add the users and emails you want to notify when the password changes are detected.

User's image

test your action group.

User's image

You can review and save.

Change the password for one of the accounts in your query and confirm the alert is triggered.

Answer 2

Cloud_Geek_82 901

@Michael Smith

Thanks you very much for your help.

Works exactly the way I was needed.

0 comments

Answer 3

Hey,

Thank you for contacting the Q&A community.

If you want to set up alerts for specific accounts you can do so using alerts in log analytics.

Create the workspace here
https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces

You need to create a log analytics workspace then export your audit logs to the workspace.

Then go to your audit logs and choose export data settings

User's image

Once the audit logs are being exported you can run the following query to find the audit logs for the password changes for the specific users.

AuditLogs
| where TargetResources[0].userPrincipalName == "******@domain.com" or TargetResources[0].userPrincipalName == "******@domain.com"
| where OperationName == "Change user password"

Then follow the doc below to set up the alert rule. You need to create an action group where you can specify the emails that are alerted. This is also in the doc.
https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/tutorial-log-alert

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Cloud_Geek_82 901 Reputation points

2024-03-13T19:28:12.89+00:00

Hi @Michael Smith

I have created Log Analytics workspace and under Microsoft Entra ID > Audit Logs added diagnostic setting exactly as shown on your second screen.

Now a bit unclear how to set up an alert.

In your link as I understand an example is related to storage account.

In my my case (since my alert is related to Entra ID event) should I go to Entra ID > Log Analytics > + New alert rule?

Answer 4

Andy David - MVP 160.2K MVP Volunteer Moderator

You can set in the Entra portal

User's image

Cloud_Geek_82 901 Reputation points

2024-03-08T20:15:03.8566667+00:00

Hi @Andy David - MVP

As far as I understand this would works if\when admins (btw it is clear whether it is applicable to Global Admins or any admin role) reset their passwords through SSPR.

In my case , alerts should be triggered when admin's password is reset from admin portal.

Answer 5

Cloud_Geek_82 901

Hi @Michael Smith

Thanks for the detailed guide.

Just one question on the steps of of creating an alert rule.

Could you please advise what I should select in the highlighted fields.

alert rule

Also for testing purposes I reset a password for one of the Microsoft 365 accounts but I run the query I get "No results found from the last 30 minutes Try selecting another time range". (I used the same query you posted and only replaced with my UPN addresses.)

Michael Smith 2,931 Reputation points Microsoft Employee Moderator

2024-03-14T22:38:37.6633333+00:00
Hey again, sorry i should have specified. You can set threshold value to 0 leave the other settings as is.

I have updated the query to include passwords reset from the portal.

So using this query in my alert i will get an email if the 2 accounts list have the password reset in the portal or if their password is changed

AuditLogs | where TargetResources[0].userPrincipalName == "******@domain.com" or TargetResources[0].userPrincipalName == "******@domain.com" | where OperationName == "Change user password" or OperationName == "Reset user password" or OperationName =="Reset password (by admin)"

If you are still not seeing the entries please check your audit logs from the azure portal for the user you are testing the password change on.

The activity name in the audit logs should match up with the operation name.

you can also just run the query on the user to show all the audit logs for that user. This will show you the different operations you may want to trigger the alert on.

AuditLogs| where TargetResources[0].userPrincipalName == "******@domain.com" or TargetResources[0].userPrincipalName == "******@domain.com"

Let me know if have more questions.

Share via

Set alert for Microsoft 365 Global Admin password reset

4 additional answers

Your answer