We have heard from customers that in today’s modern workplace and threat landscape, alerts and insights are a key tool to maintain visibility and control in your environment. Office 365 alert policies and insights in Security & Compliance Center are effective tools for organizations to detect threats, monitor anomalous activities and enhance protection in Office 365. This month, we are rolling out new capabilities to enhance your alert and insight experience in Office 365.

Consume Cloud App Security alerts in Office 365 Security and Compliance center

Microsoft Cloud App Security alerts related to Office apps and services are now available in the Office 365 security and compliance center on the view alerts page. With the addition of these alerts in the compliance center, you now have a central view within one portal. In addition, these same alerts are now available via the Management Activity API.



For more details, please refer to this section in documentation.



Alerts signal available in Management Activity API


Availability of the alerts signal in the Management Activity API has been one of the top feature requests from both customers and partners. Starting now, Office 365 Security & Compliance Alerts can be retrieved from Management Activity API as a signal. This means that you can now consume Office 365 alerts in your own way by simply integrating it with your SIEM or self-created solution.

Meanwhile, this also means that these signals can be searched from “Search-UnifiedAuditLog” for Cmdlet based log access.



For more details, please refer to the schema documentation for Office 365 Security & Compliance alerts in Management Activity API.


Manage access to alerts with role-based permissions

Admins with various roles come to the Security and Compliance center to consume alerts. Until now, the permission for viewing alerts has been universal across the entire organization, creating a challenge for access to alerts for specific scenarios such as data loss, or privileged access.  As we expand the scenarios that alert policies support across Security & Compliance, the necessity for a more granular permission model emerges. This month, we will start to roll out the role-based access to alerts. For example, a Compliance admin will no longer have permission to see Threat management alerts in “View alerts” page. Read more about this update here.


Insights signal available in Management Activity API

In various places in Security & compliance Center, Office 365 provides you with insights about potential threats or configuration issues that we have identified on your behalf, such as “Users targeted by phishing campaign” or “Spam mails delivered due to allowed IP”, along with actionable recommendations for you to resolve or mitigate these issues.


To date, we have introduced about 30 such insights. And now, we are excited to share that these insight signals can also be retrieved via the Management Activity API. This update will start to roll out later this month.



Alert policies based on S&CC insights

Along with the availability of insight signals in Management Activity API,  we are also allowing admins to configure alert policies and receive email notifications based on these insights from S&CC. Certain insight based alerts will be rolled up as on-by-default alert policies.



This capability is also starting to roll out later this month. Check back for updates on related documentation.

  • Binyan Chen, Sr Program Manager, Microsoft 365 Compliance Solutions

The insights integration into the MA API and Alerts is great, cant wait to play with it :)

Occasional Contributor

@Binyan Chen Thanks for the updates. For MCAS integration, the documentation (https://docs.microsoft.com/en-us/Office365/SecurityCompliance/alert-policies#viewing-cloud-app-secur...) says "Changing the status of a Cloud App Security alert in the Security & Compliance Center won't update the resolution status for the same alert in the Cloud App Security portal. For example, if you mark the status of the alert as Resolved in the Security & Compliance Center, the status of the alert in the Cloud App Security portal is unchanged. To resolve or dismiss a Cloud App Security alert, manage the alert in the Cloud App Security portal."


A couple of questions:

1. Does this apply to alerts from Office 365 Cloud App Security as well, or just to MCAS ones?

2. If the alert is resolved in MCAS, does that status flow through to O365 Alerts? I assume the answer is no currently, but that would be nice otherwise the O365 Alerts screen is going to show out-of-date status data points that will eventually lead to them being ignored.

3. Are there any plans to change the lack of alert status integration between the two? Having to resolve in both places is duplication of effort, something we'd like to minimise.