E-Mail notification for Groups in Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-2279904%22%20slang%3D%22de-DE%22%3EE-Mail%20notification%20for%20Groups%20in%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2279904%22%20slang%3D%22de-DE%22%3E%3CP%3EHi.%20I%20am%20looking%20for%20a%20solution%20to%20get%20an%20E-Mail%20notification%20every%20time%20a%20new%20group%20in%20Azure%20Active%20Directory%20is%20applied.%20Do%20you%20know%20any%20solutions%3F%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi. I am looking for a solution to get an E-Mail notification every time a new group in Azure Active Directory is applied. Do you know any solutions?

Thank you for your help.

 

1 Reply

@Maximus_Aurelius 

 

Hi

 

One way to  get notified is configuring Azure Monitor  Alerts  . But before you will need create a and configure Azure  Log Analytics Workspace.

The log analytics will allow you to send Azure AD Audit logs to be able to query it  . An then you will use a custom query to generate an alert whenever the condition is met .

 

To be able to send Audit Logs you will need to configure the diagnostic settings . 

Go To : 

 https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview

 

In the monitoring section go Diagnostic Settings and clic Add diagnostic settings 

You will be able to add the following diagnostic settings :  

  • AuditLogs
  • SignInLogs
  • NonInteractiveUserSignInLogs
  • ServicePrincipalSignInLogs
  • ManagedIdentitySignInLogs
  • ProvisioningLogs

Notice that In order to export Sign-in data, your organization needs Azure AD P1 or P2 license. If you don't have a P1 or P2,

Give a name to the diagnostic setting 

In the category details Select at least Audit Logs 

In the Destination select at least Send to Log Analytics workspace ( if it's a prod subscription i strongly recommend to archive the logs also ) .

Then select the subscription and an existing workspace will be populated .If not you have to create it. 

 

Once done Go to Azure Monitor  blade 

https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview

Go to alerts then click on New alert rule 

In the Scope section select the resource that should be the log analytics where you are sending the Azure Active Directory logs

In the condition section you configure the signal logic as Custom Log Search ( by default 6 evaluations are done in 30 min but you can customize the time range . 

In the search query block copy paste the following query (formatted)  :  


AuditLogs
| where OperationName in ('Add group','Delete group')

 

For the alert logic  put 0 for the value of Threshold and click on done . 

 

Now the alert need to be sent to someone or a group for that .

You can configure an action group where notification can be Email/SMS message/Push/Voice

The action type can be Automation Runbook ITSM  Webhook ...

 

Finally you can define the alert rule details 

 

Once done you can do the test to verify if you can have a result to your query 

Add  a group and Delete it .

Hope that will help if yes you can mark it as anwser