Creating an alert for blocked logIn account in Azure AD

Ashutosh Joshi 1 Reputation point
2021-09-18T13:59:07.03+00:00

Hello Team,

I wanted to get create alert for blocked login account in Azure AD from signIn logs but not to find the required query. If I find it, than the alerts throws the errors if I configure myself saying not a valid query. Can you please provide the required query or point in to a direction where I can find it. Looking forward to hearing from you,

Thanks !!!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,499 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Devaraj G 2,091 Reputation points
    2021-09-19T10:31:39.13+00:00

    Hi Ashutosh,

    For more granular hunting queries for Azure AD logs, I would recommend to leverage azure Sentinal which is SIEM and SOAR tool offered by Azure Microsoft. this can give you lots of inbuilt capabilities on security monitoring for azure sign-ins along with many other integration.

    with respect to blocked sing-in , let me also try the custom query in my lab and update you.

    0 comments No comments

  2. Ian Campbell 0 Reputation points
    2024-03-15T20:17:08.14+00:00

    Am currently researching this too as a user was blocked yesterday and we had no notification of it. Simply telling a user to purchase AZ sentinel is not an acceptable answer to the question, and no further info is provided...

    0 comments No comments