Share via

Notification or Alerts for MFA setting

Hafiz Shoaib 20 Reputation points
2023-08-16T23:02:52.4766667+00:00

Hi Everyone

Could we setup an alert when a MFA method is added, changed or deleted in Microsoft account setting security option?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,990 questions
Office Management
Office Management
Office: A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.Management: The act or process of organizing, handling, directing or controlling something.
2,025 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,746 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,829 questions
0 comments
Accepted answer
  1. Sandeep G-MSFT 15,081 Reputation points Microsoft Employee
    2023-08-17T11:49:08.8766667+00:00

    @Hafiz Shoaib

    Currently, we do not have an option to configure an alert when any of the MFA methods is added, deleted or modified.

    But you can pull the report on which user has registered for which MFA method.

    You can get this report using Azure portal GUI.

    • Login to Azure portal with global admin credentials.
    • Go to Azure active directory.
    • Click on Security
    • Then click on Authentication Methods.
    • Now you can click on "User registration details" and "Registration and reset events".
    • This is the report that shows which user is registered for what authentication method in MFA.

    User's image

    User's image

    Let me know if you have any questions on this.

    If you are looking for an alert to be configured you can submit a feedback in Azure feedback portal regarding this.

    https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CK 10 Reputation points
    2024-02-28T15:39:53.4+00:00

    I had the same question and figured out how to create an Alert Rule in Azure for this. Azure charges you $.50/month for the Alert Rule plus your logs consumption for Entra ID.

    Step 1: Go to Entra ID in Azure. Go to the Diagnostic Settings menu item and setup Logs for AuditLogs. We send ours to a Log Analytics workspace. This will record any instances of user MFA sessions.

    Step 2: go to Alerts in Azure and create an Alert Rule. For Scope, point it to the Log Analytics Workspace where you are saving your Entra ID logs from step 1. For Condition, select "Custom log search". Set the query as:

    AuditLogs
| where OperationName == 'User registered security info'

    Measure: Table Rows Aggregation Type: Count Aggregation granularity: 6 hours Operator: Greater Than Threshold value: 0 Frequency: 6 hours For Action Groups, we set up an email notification to our admins.

    2 people found this answer helpful.
  2. Emi Zhang-MSFT 22,396 Reputation points Microsoft Vendor
    2023-08-17T02:21:38.7366667+00:00

    Hi,

    I suggest you post this issue to Microsoft 365 Admin Center:

    https://techcommunity.microsoft.com/t5/microsoft-365-admin-center/bd-p/AdminCenter

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.

    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments