How to set the alert for B2B user for deletion

Singampalli,R,RamaKrishna,QGE R 26 Reputation points
2023-04-03T11:17:33.5566667+00:00

Hi Team,

I want to set the alert for B2B, Where if the user get deleted by any one mistakenly.

I am trying to differntiate the logs for guset user and AD user but not able to find. Please any one help on it

AuditLogs
| where  Category contains "UserManagement" and  OperationName contains "Delete user"
Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
626 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,812 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shweta Mathur 28,106 Reputation points Microsoft Employee
    2023-04-06T07:24:18.67+00:00

    Hi @Singampalli,R,RamaKrishna,QGE R , To setup up the alert to export audit logs to a Log Analytics workspace, then set up triggers if any user gets deleted. First set up Log Analytics Workspaces and create new workspace. Now integrate Azure AD logs in Log Analytics: Select Diagnostics settings in Azure Active Directory Blade and add diagnostic setting User's image

    Select the AuditLogs and Destination details to send logs to Log Analytics Workspace and save. Now to create alert, select Monitor resource and then select 'Alerts' Click on the + New alert rule link in the main pane.
    In the Scope area make the following changes:

    • Click the Select resource link.
    • The Select a resource blade appears.
    • From the Filter by subscription drop-down list, select the Azure subscription containing the previously created Log Analytics workspace.
    • From the Filter by resource type drop-down list, select Log Analytics workspaces.
    • In the Resource list, select the previously created Log Analytics workspace.
    • Click Done at the bottom of the Select a resource blade to save the settings and close the blade.
    • In the Condition area make the following changes:
      • Click the Select condition link.
      • The Configure signal logic blade appears.
      • In the Signal name list, select Custom log search. This is the top signal in the list.
      • In the Search query field, type the following query,
       AuditLogs
       | where Category contains "UserManagement" and OperationName contains "Delete user"
       
    

    User's image

    Select the action group and action details to create the alert. Reference: https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=metric

    Hope this will help. Thanks, Shweta Please remember to "Accept Answer" if answer helped you.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Shweta Mathur 28,106 Reputation points Microsoft Employee
    2023-04-04T11:57:29.02+00:00

    Hi @Singampalli,R,RamaKrishna,QGE R , Thanks for reaching out. I understand you are looking for query to create alert when guest user gets deleted. To add and update users, user type can be retrieved from additional details and modified properties in the audit logs. However, for deleting users the user type details are not known as user got deleted from the system.

    Hope this will help.


  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more