Share via

Azure AD Provisioning logs analytics query and alerts

SenhorDolas 1,326 Reputation points
2022-02-15T18:41:44.477+00:00

Hi all,

I am looking to set up an alert to notify me of a Failure provisioning - this would be between Azure AD and SAP for example.

I found the logs analytics query which works fine but I would like to fine tune it so I can see the username of the failed export: 

    // Provisioning errors 
// Shows the count per error code and when were they last seen. 
AADProvisioningLogs
| where ResultType == "Skipped"
| where SourceIdentity!=""
| project SourceIdentity,   TimeGenerated, Id
| extend Name_ = tostring(parse_json(SourceIdentity).Name)

I can see the Userprincipalname inside SourceTarget/Details (on the results) but I cannot find a query to pull this out and send me the alert.

Basically I would like to be alerted about the username, the groups the user is in and the target system name (my AAD is iDP for lots)

I guess I really need some working examples to get used to KQL :)

Thanks, M

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,661 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SenhorDolas 1,326 Reputation points
    2022-02-17T10:46:11.687+00:00

    Resolved! Thanks everyone watching this question: 

    AADProvisioningLogs
| where ResultType == "Failure"
| where SourceIdentity != ""
| project tostring(parse_json(SourceIdentity).Name), tostring(parse_json(StatusInfo).Reason), TimeGenerated
    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.