Rediger

Del via


Microsoft Entra ID Governance custom alerts

Microsoft Entra ID Governance makes it easy to alert people in your organization when they need to take action (ex: approve a request for access to a resource) or when a business process isn't functioning properly (ex: new hires aren't getting provisioned).

The following table outlines some of the standard notifications that Microsoft Entra ID Governance provides, the target persona in an organization, where they would expect to be alerted, and how quickly they would be alerted.

Sample of existing standard notifications

Persona Alert method Timeliness Example alert
End user Teams Minutes You need to approve or deny this request for access;
The access you requested has been approved, go use your new app.

Learn more
End user Teams Days The access you requested is going to expire next week, please renew.Learn more
End user Email Days Welcome to Woodgrove, here is your temporary access pass. Learn more.
Help desk ServiceNow Minutes A user needs to be manually provisioned into a legacy application. Learn more
IT operations Email Hours Newly hired employees aren't being imported from Workday. Learn more

Custom alert notifications

In addition to the standard notifications provided by Microsoft Entra ID Governance, organizations can create custom alerts to meet their needs.

All activity performed by the Microsoft Entra ID Governance services is logged in the Microsoft Entra Audit Logs. By pushing the logs to a Log Analytics workspace, organizations can create custom alerts.

The following section provides examples of custom alerts that customers can create by integrating Microsoft Entra ID Governance with Azure Monitor. By using Azure Monitor, organizations can customize what alerts are generated, who receives the alerts, and how they receive the alert (email, SMS, help desk ticket, etc.).

Feature Example alert
Access Reviews Alert an IT admin when an access review is deleted.
Entitlement management Alert an IT admin when a user is directly added to a group, without using an access package.
Entitlement management Alert an IT admin when a new connected organization is added.
Entitlement management Alert an IT admin when a custom extension fails.
Entitlement management Alert an IT admin when an entitlement management access package assignment policy is created or updated without requiring approval.
Lifecycle workflows Alert an IT admin when a specific workflow fails.
Multitenant collaboration Alert an IT admin when cross-tenant sync is enabled
Multitenant collaboration Alert an IT admin when a cross-tenant access policy is enabled
Privileged Identity Management Alert an IT admin when PIM alerts are disabled.
Privileged Identity Management Alert an IT admin when a role is granted outside of PIM.
Provisioning Alert an IT admin when there is a spike in provisioning failures over the past day.
Provisioning Alert an IT admin when someone starts, stops, disables, restarts, or deletes a provisioning configuration.
Provisioning Alert an IT admin when a provisioning job goes into quarantine.

Access reviews

Alert an IT admin when an access review has been deleted.

Query

AuditLogs
| where ActivityDisplayName == "Delete access review"

Entitlement management

Alert an IT admin when a user is directly added to a group, without using an access package.

Query

AuditLogs
| where parse_json(tostring(TargetResources[1].id)) in ("InputGroupID", "InputGroupID")
| where ActivityDisplayName == "Add member to group"
| extend ActorName = tostring(InitiatedBy.app.displayName)
| where ActorName != "Azure AD Identity Governance - User Management"

Alert an IT admin when a new connected organization is created. Users from this organization can now request access to resources made available to all connected organizations.

Query

AuditLogs
| where ActivityDisplayName == "Create connected organization"
| mv-expand AdditionalDetails
| extend key = AdditionalDetails.key, value = AdditionalDetails.value
| extend tostring(key) == "Description"
| where key == "Description"
| parse value with * "\n" TenantID 
| distinct TenantID

Alert an IT admin when an entitlement management custom extension fails.

Query

AuditLogs
| where ActivityDisplayName == "Execute custom extension"
| where Result == "success"
| mvexpand TargetResources 
| extend  CustomExtensionName=TargetResources.displayName
| where CustomExtensionName in ('<input custom exteionsion name>', '<input custom extension name>')

Alert an IT admin when an entitlement management access package assignment policy is created or updated without requiring approval.

Query

AuditLogs
| where ActivityDisplayName in ("Create access package assignment policy", "Update access package assignment policy")
| extend AdditionalDetailsParsed = parse_json(AdditionalDetails)
| mv-expand AdditionalDetailsParsed
| extend Key = tostring(AdditionalDetailsParsed.key), Value = tostring(AdditionalDetailsParsed.value)
| summarize make_set(Key), make_set(Value) by ActivityDisplayName, CorrelationId
| where set_has_element(set_Key, "IsApprovalRequiredForAdd") and set_has_element(set_Value, "False")
| where set_has_element(set_Key, "SpecificAllowedTargets") and not(set_has_element(set_Value, "None"))

Lifecycle workflows

Alert an IT admin when a specific lifecycle workflow fails.

Query

AuditLogs
| where Category == "WorkflowManagement"
| where ActivityDisplayName in ('On-demand workflow execution completed', 'Scheduled workflow execution completed')
| where Result != "success"
| mvexpand TargetResources 
| extend  WorkflowName=TargetResources.displayName
| where WorkflowName in ('input workflow name', 'input workflow name')
| extend WorkflowType = AdditionalDetails[0].value 
| extend DisplayName = AdditionalDetails[1].value 
| extend ObjectId = AdditionalDetails[2].value 
| extend UserCount = AdditionalDetails[3].value 
| extend Users = AdditionalDetails[4].value 
| extend RequestId = AdditionalDetails[5].value 
| extend InitiatedBy = InitiatedBy.app.displayName 
| extend Result = Result 
| project WorkflowType, DisplayName, ObjectId, UserCount, Users, RequestId, Id, Result,ActivityDisplayName

Alert logic

  • Based on: Number of results
  • Operator: Equal to
  • Threshold: 0

Multitenant collaboration

Alert an IT admin when a new cross-tenant access policy is created. This allows your organization to detect when a relationship has been formed with a new organization.

Query

AuditLogs
| where OperationName == "Add a partner to cross-tenant access setting"
| where parse_json(tostring(TargetResources[0].modifiedProperties))[0].displayName == "tenantId"
| extend initiating_user=parse_json(tostring(InitiatedBy.user)).userPrincipalName
| extend source_ip=parse_json(tostring(InitiatedBy.user)).ipAddress
| extend target_tenant=parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue
| project TimeGenerated, OperationName,initiating_user,source_ip, AADTenantId,target_tenant
| project-rename source_tenant= AADTenantId

As an admin, I can get an alert when an inbound cross-tenant sync policy is set to true. This allows your organization to detect when an organization is authorized to synchronize identities into your tenant.

Query

AuditLogs
| where OperationName == "Update a partner cross-tenant identity sync setting"
| extend a = tostring(TargetResources)
| where a contains "true"
| where parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue contains "true"

Alert logic

Privileged identity management

Alert an IT admin when specific PIM security alerts are disabled.

Query

AuditLogs
| where ActivityDisplayName == "Disable PIM alert"

Alert an IT admin when a user is added to a role outside of PIM

The query below is based on a templateId. You can find a list of template IDs here.

Query

AuditLogs
| where ActivityDisplayName == "Add member to role"
| where parse_json(tostring(TargetResources[0].modifiedProperties))[2].newValue in ("\"INPUT GUID\"")

Provisioning

Alert an IT administrator when there is a spike in provisioning failures over the past day. When configuring your alert in log analytics, set the aggregration granularity to 1-day.

Query

AADProvisioningLogs
| where JobId == "<input JobId>"
| where resultType == "Failure"

Alert Logic

  • Based on: Number of results
  • Operator: Greater than
  • Threshold value: 10

Alert an IT admin when someone starts, stops, disables, restarts, or deletes a provisioning configuration.

Query

AuditLogs
| where ActivityDisplayName in ('Add provisioning configuration','Delete provisioning configuration','Disable/pause provisioning configuration', 'Enable/restart provisioning configuration', 'Enable/start provisioning configuration')

Alert an IT admin when a provisioning job goes into quarantine

Query

AuditLogs
| where ActivityDisplayName == "Quarantine"

Next steps