Detect and respond to security alerts

Appropriate roles: Admin agent

Applies to: Partner Center Direct Bill and Indirect Providers

You can subscribe to a new security alert for detections related to unauthorized party abuse and account takeovers. This security alert is one of the many ways Microsoft provides the data you need to secure your customer's tenants.

Important

As a partner in the Cloud Solution Provider (CSP) program, you're responsible for your customers' Azure consumption, so it's important that you're aware of any anomalous usage in your customer's Azure subscriptions. Use Microsoft Azure security alerts to detect patterns of fraudulent activities and misuse in Azure resources to help reduce your exposure to online transaction risks. Microsoft Azure security alerts don't detect all types of fraudulent activities or misuse, so it's critical that you use additional methods of monitoring to help detect anomalous usage in your customer's Azure subscriptions. To learn more, see Managing nonpayment, fraud, or misuse and Managing customer accounts.

Action required: With monitoring and signal awareness, you can take immediate action to determine whether the behavior is legitimate or fraudulent. If necessary, you can suspend affected Azure resources or Azure subscriptions to mitigate an issue.

Make sure that the preferred email address for your Partner Admin Agents is up-to-date, so they can be notified along with the security contacts.

Subscribe to security alert notifications

You can subscribe to various partner notifications based on your role.

Security alerts notify you when your customer's Azure subscription shows possible anomalous activities.

Get alerts by email

1. Sign in to Partner Center and select Notifications (bell).
2. Select My preferences.
3. Set a preferred email address if you haven't already done so.
4. Set the preferred language for the notification if you haven't already done so.
5. Select Edit next to Email notification preferences.
6. Check all boxes relating to Customers in the Workspace column. (To unsubscribe, unselect the transactional section under customer workspace.)
7. Select Save.

We send security alerts when we detect possible security alert activities or misuse in some of your customers' Microsoft Azure subscriptions. There are three types of emails:

• Daily summary of unresolved security alerts (count of partners, customers, and subscriptions affected by various alert types)
• Near real-time security alerts. To get a list of Azure subscriptions that have potential security concerns, see Get fraud events.
• Near real-time security advisory notifications. These notifications provide visibility into the notifications sent to the customer when there's a security alert.

Cloud Solution Provider (CSP) direct bill partners can see more alerts for activities, for example: anomalous compute usage, crypto mining, Azure Machine Learning usage, and service health advisory notifications.

Get alerts through a webhook

Partners can register to a webhook event: azure-fraud-event-detected to receive alerts for resource change events. To learn more, see Partner Center webhook events.

See and respond to alerts through the Security Alerts dashboard

CSP partners can access the Partner Center Security Alerts dashboard to detect and respond to alerts. To learn more, see Respond to security events with Partner Center Security Alerts dashboard.

Get alert details through API

Use the new Microsoft Graph Security Alerts API (Beta)

Benefits: Starting in May 2024, the preview version of the Microsoft Graph Security Alerts API is available. This API provides a unified API gateway experience across other Microsoft services such as Microsoft Entra ID, Teams, and Outlook.

Onboarding requirements: CSP partners who are onboarding are required to use the new Security Alerts Beta API. To learn more, see Use the partner security alert API in Microsoft Graph.

The Microsoft Graph Security Alerts API V1 version will be released in July 2024.

Use Case	APIs
Onboard to Microsoft Graph API to get Access Token	Get access on behalf of a user
List Security Alerts to get visibility into the alerts	List securityAlerts - Microsoft Graph beta | Microsoft Learn
Get Security Alerts to get visibility into a specific alert based on the query param selected.	Get partnerSecurityAlert - Microsoft Graph beta | Microsoft Learn
Get token to call the Partner Center APIs for reference information	Enable secure application model - Partner app developer | Microsoft Learn
Get your Organization Profile information	Get an organization profile - Partner app developer | Microsoft Learn
Get your Customer information by ID	Get a customer by ID - Partner app developer | Microsoft Learn
Get your Indirect Resellers information of a Customer by ID	Get indirect resellers of a customer - Partner app developer | Microsoft Learn
Get Customer's Subscription information by ID	Get a subscription by ID - Partner app developer | Microsoft Learn
Update alert status and resolve when mitigated	Update partnerSecurityAlert - Microsoft Graph beta | Microsoft Learn

Support for the existing FraudEvents API

Important

The legacy fraud events API will be deprecated in CY Q4 2024. For more details, please look out for monthly Partner Center Security announcements. CSP partners should migrate to the new Microsoft Graph Security Alerts API, which is now available in preview.

During the transition period, CSP partners can continue to use the FraudEvents API to get extra detection signals using X-NewEventsModel. With this model, you can get new types of alerts as they're added to the system, for example, anomalous compute usage, crypto mining, Azure Machine Learning usage, and service health advisory notifications. New types of alerts can be added with limited notice, because threats are also evolving. If you use special handling through the API for different alert types, monitor these APIs for changes:

• Get fraud events
• Update fraud event status

What to do when you receive a security alert notification

The following checklist provides suggested next steps for what to do when you receive a security notification.

• Check to make sure the email notification is valid. When we send security alerts, they're sent from Microsoft Azure, with the email address: no-reply@microsoft.com. Partners only receive notification from Microsoft.
• When you're notified, you can also see the email alert in the Action Center portal. Select the bell icon to see the Action Center alerts.
• Review the Azure subscriptions. Determine whether the activity in the subscription is legitimate and expected, or whether the activity might be due to unauthorized abuse or fraud.
• Let us know what you found, either through the Security Alerts dashboard or from the API. To learn more about using the API, see Update fraud event status. Use the following categories to describe what you found:
  • Legitimate - The activity is expected or a false positive signal.
  • Fraud - The activity is due to unauthorized abuse or fraud.
  • Ignore - The activity is an older alert and should be ignored. To learn more, see Why are partners receiving older Security Alerts?.

What other steps can you take to lower the risk of compromise?

• Enable multifactor authentication (MFA) on your customer and partner tenants. Accounts that have permissions to manage customers' Azure subscriptions need to be MFA compliant. To learn more, see Cloud Solution Provider security best practices and Customer security best practices.
• Set up alerts to monitor your Azure role-based access control (RBAC) access permissions on customers' Azure subscriptions. To learn more, see Azure plan - Manage subscriptions and resources.
  • Audit permission changes on your customers' Azure subscriptions. Review the Azure Monitor activity log for Azure subscription-related activity.
• Review spending anomalies against your spending budget in Azure cost management.
• Educate and work with the customers to reduce the unused quota to prevent the damage allowed on the Azure subscription: Quotas overview - Azure Quotas.
  • Submit request to manage Azure quota: How to create an Azure support request - Azure supportability
  • Review the current quota usage: Azure Quota REST API Reference
  • If you're running critical workloads that require high capacity, consider on-demand capacity reservation or Azure reserved virtual machine instances

What should you do if an Azure subscription has been compromised?

Take immediate action to protect your account and data. Here are a few suggestions and tips to quickly respond and contain a potential incident to reduce its impact and overall business risk.

Remediating compromised identities in a cloud environment is crucial for ensuring the overall security of cloud-based systems. Compromised identities can provide attackers with access to sensitive data and resources, making it essential to take immediate action to protect the account and data.

• Immediately change credentials for:

  • Tenant admins and RBAC access on Azure Subscriptions What is Azure role-based access control (Azure RBAC)?
  • Follow the password guidance. Password policy recommendations
  • Ensure all the tenant admins and RBAC owners have MFA registered and enforced

• Review and verify all global admin user password recovery emails and phone numbers within Microsoft Entra ID. Update them if necessary. Password policy recommendations

• Review which users, tenants, and subscriptions are at risk within the Azure portal.

  • Investigate the risk by going to Microsoft Entra ID to review Identity Protection's Risk Reports. To learn more, see Investigate risk Microsoft Entra ID Protection
  • License Requirements for Identity Protection
  • Remediate risks and unblock users
  • User experiences with Microsoft Entra ID Protection

• Review the Microsoft Entra sign-in logs on the customer tenant to see unusual sign-in patterns around the time when the security alert is triggered.

After malicious actors are evicted, clean the compromised resources. Keep a close eye on the affected subscription to make sure there's no further suspicious activity. It's also a good idea to regularly review your logs and audit trails to ensure that your account is secure.

• Check for any unauthorized activity in the Azure Activity Log, for example, changes to our billing, usage for unbilled commercial consumption line items, or configurations.
• Review spending anomalies against the customer's spending budget in Azure cost management.
• Disable or delete any compromised resources:
  • Identify and evict the threat actor: Use Microsoft and Azure security resources to help recover from systemic identity compromise.
  • Check the Azure Activity Log any subscription-level changes.
  • Deallocate and remove any resources created by unauthorized party. Watch How to keep your Azure subscription clean | Azure Tips and Tricks (video)
  • You can cancel the customers' Azure subscriptions through the API (Cancel an Azure entitlement) or through the Partner Center portal.
  • Contact Azure support immediately and report the incident
  • Clean up storage after the event: Find and delete unattached Azure managed and unmanaged disks - Azure Virtual Machines

Preventing account compromise is easier than recovering from it. Therefore, it's important to strengthen your security posture.

• Review the quota on the customers Azure subscriptions and submit the request to reduce the unused quota. For more information, see Reduce Quota.
• Review and implement the Cloud Solution Provider security best practices.
• Work with your customers to learn and implement the Customer security best practices.
• Make sure Defender for Cloud is turned on (There's a free tier available for this service).

For more information, see the article support.

More tools for monitoring

• Set up alerts from the Azure portal
• Set an Azure spending budget for customers

How to prepare your end customers

Microsoft sends notifications to Azure subscriptions, which go to your end customers. Work with your end customer to ensure that they can act appropriately and are alerted of various security issues within their environment:

• Set up usage alerts with Azure Monitor or Azure Cost management.
• Set up Service Health Alerts to be aware of other notifications from Microsoft about security and other related issues.
• Work with your organization's Tenant Admin (if this isn't managed by the Partner) to enforce increased security measures on your tenant (see the following section).

Additional information for protecting your tenant

• Review and implement operational security best practices for your Azure assets.

• Enforce Multifactor Authentication to strengthen your identity security posture.

• Implement risk policies and alerting for High Risk users and sign-ins: What is Microsoft Entra ID Protection?.

If you suspect unauthorized usage of your or your customer's Azure subscription, engage Microsoft Azure Support so Microsoft can help expedite any other questions or concerns.

If you have specific questions regarding Partner Center, submit a support request in Partner Center. For more information: Get support in Partner Center.

Check security notifications under Activity logs

1. Sign in to Partner Center and select the settings (gear) icon on top right corner, then select the Account settings workspace.
2. Navigate to Activity logs on the left panel.
3. Set the From and To dates in the top filter.
4. In Filter by Operation Type, select Azure Fraud Event Detected. You should be able to see all security alerts Events detected for the selected period.

Why are partners receiving older Azure security alerts?

Microsoft has been sending Azure Fraud alerts since December 2021. However, in the past, alert notification was based on opt-in preference only, where partners had to opt in to receive notice. We've changed this behavior. Partners should now resolve all fraud alerts (including old alerts) that are open. To secure your and your customers' security posture, follow the Cloud Solution Provider security best practices.

Microsoft is sending the daily fraud summary (this is the count of partners, customers, and subscriptions affected) if there's an active unresolved fraud alert within the last 60 days.

Why am I not seeing all the alerts?

Security alert notifications are limited to detecting patterns of certain anomalous actions in Azure. Security alert notifications don't detect and aren't guaranteed to detect all anomalous behaviors. It's critical that you use other methods of monitoring to help detect anomalous usage in your customer's Azure subscriptions, such as monthly Azure spending budgets. If you receive an alert that is significant and is a false negative, reach out to Partner Support and provide the following information:

• Partner Tenant ID
• Customer Tenant ID
• Subscription ID
• Resource ID
• Impact start and impact end dates

Next steps

• Integrate with the Security Alerts API and register a webhook.