Share via

Get email notification for AzureAD/On-prem AD accounts that have been locked out due to too many password failed attempts

Said A 911 Reputation points
2022-08-26T17:48:56.96+00:00

Hello everyone,

I am currently investigating the possibility of have email notifications sent to me when a user account gets locked out because of failed password attempts.

The users are Hybrid (synced to Azure AD)

I am currently browsing this: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout

But there is no mention of email notifications to Admins.

Any insights would be appreciated.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Andreas Baumgarten 123.7K Reputation points MVP Volunteer Moderator
    2022-08-26T18:12:56.243+00:00

    JHi @Said A ,

    there are a few examples in the internet related to "AD user locked out mail admin":

    https://www.sealingtech.com/blog/sending-automatic-email-notifications-when-an-active-directory-account-locks/
    https://community.spiceworks.com/topic/2279543-email-the-helpdesk-when-domain-user-is-locked-out
    https://www.linkedin.com/pulse/useful-script-send-email-notification-account-lockout-arafa/

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2022-09-06T18:39:13.017+00:00

    @Said A
    Thank you for your post and I apologize for the delayed response!

    By leveraging Azure Monitor, you should be able to Integrate with Azure AD to route your logs and events to a Log Analytics workspace. From the Log Analytics workspace, you can set up alerting to receive email notifications when an Azure AD user gets locked out of their account.

    238310-image.png

    From the Log Analytics workspace that you selected when setting up the integration:

    • Select Alerts
    • Create Alert Rule
    • Search for and select Locked accounts (Category: Security Info Notable Issues)
      Locked accounts (Category: Security Info Notable Issues) queries for Event ID 4740.

    238361-image.png

    As you walk through setting up the Alert, you can Create an Action Group where you'll be able to Configure notifications and select the type of notification that you want to be sent (Email, SMS, Push, Voice).
    238287-image.png

    Additional Links:
    Create a new alert rule
    Analyze Azure AD activity logs with Azure Monitor logs
    Troubleshooting problems in Azure Monitor alerts

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    2 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.