Apr 21 2021 03:41 AM
Hi. I am looking for a solution to get an E-Mail notification every time a new group in Azure Active Directory is applied. Do you know any solutions?
Thank you for your help.
Apr 21 2021 10:22 AM
Hi
One way to get notified is configuring Azure Monitor Alerts . But before you will need create a and configure Azure Log Analytics Workspace.
The log analytics will allow you to send Azure AD Audit logs to be able to query it . An then you will use a custom query to generate an alert whenever the condition is met .
To be able to send Audit Logs you will need to configure the diagnostic settings .
Go To :
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
In the monitoring section go Diagnostic Settings and clic Add diagnostic settings
You will be able to add the following diagnostic settings :
Notice that In order to export Sign-in data, your organization needs Azure AD P1 or P2 license. If you don't have a P1 or P2,
Give a name to the diagnostic setting
In the category details Select at least Audit Logs
In the Destination select at least Send to Log Analytics workspace ( if it's a prod subscription i strongly recommend to archive the logs also ) .
Then select the subscription and an existing workspace will be populated .If not you have to create it.
Once done Go to Azure Monitor blade
https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview
Go to alerts then click on New alert rule
In the Scope section select the resource that should be the log analytics where you are sending the Azure Active Directory logs
In the condition section you configure the signal logic as Custom Log Search ( by default 6 evaluations are done in 30 min but you can customize the time range .
In the search query block copy paste the following query (formatted) :
AuditLogs
| where OperationName in ('Add group','Delete group')
For the alert logic put 0 for the value of Threshold and click on done .
Now the alert need to be sent to someone or a group for that .
You can configure an action group where notification can be Email/SMS message/Push/Voice
The action type can be Automation Runbook ITSM Webhook ...
Finally you can define the alert rule details
Once done you can do the test to verify if you can have a result to your query
Add a group and Delete it .
Hope that will help if yes you can mark it as anwser
Jul 22 2022 02:26 PM
This works great, but I can't figure out how to only fire the email for 1 specific group.
I also followed this but again can't figure out how to narrow down to 1 specific group.
Create Alert for any Security Group update - Microsoft Q&A