Hi @Singampalli,R,RamaKrishna,QGE R , To setup up the alert to export audit logs to a Log Analytics workspace, then set up triggers if any user gets deleted. First set up Log Analytics Workspaces and create new workspace. Now integrate Azure AD logs in Log Analytics: Select Diagnostics settings in Azure Active Directory Blade and add diagnostic setting
Select the AuditLogs and Destination details to send logs to Log Analytics Workspace and save.
Now to create alert, select Monitor resource and then select 'Alerts'
Click on the + New alert rule link in the main pane.
In the Scope area make the following changes:
- Click the Select resource link.
- The Select a resource blade appears.
- From the Filter by subscription drop-down list, select the Azure subscription containing the previously created Log Analytics workspace.
- From the Filter by resource type drop-down list, select Log Analytics workspaces.
- In the Resource list, select the previously created Log Analytics workspace.
- Click Done at the bottom of the Select a resource blade to save the settings and close the blade.
- In the Condition area make the following changes:
- Click the Select condition link.
- The Configure signal logic blade appears.
- In the Signal name list, select Custom log search. This is the top signal in the list.
- In the Search query field, type the following query,
AuditLogs
| where Category contains "UserManagement" and OperationName contains "Delete user"
Select the action group and action details to create the alert. Reference: https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-new-alert-rule?tabs=metric
Hope this will help. Thanks, Shweta Please remember to "Accept Answer" if answer helped you.