Alert if 365 account status is changed from Sign-in blocked to allowed

%3CLINGO-SUB%20id%3D%22lingo-sub-1658106%22%20slang%3D%22en-US%22%3EAlert%20if%20365%20account%20status%20is%20changed%20from%20Sign-in%20blocked%20to%20allowed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1658106%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20community%3C%2FP%3E%3CP%3EHas%20anyone%20found%20a%20way%20to%20alert%20admins%20when%20an%20account%20sign-in%20ability%20has%20been%20unblocked%3F%3C%2FP%3E%3CP%3EThank%20you%20for%20any%20assistance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1658106%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1687163%22%20slang%3D%22en-US%22%3ERe%3A%20Alert%20if%20365%20account%20status%20is%20changed%20from%20Sign-in%20blocked%20to%20allowed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1687163%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F419606%22%20target%3D%22_blank%22%3E%40ryeurolink%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes.%26nbsp%3B%3C%2FP%3E%3CP%3EForward%20your%20audit%20logs%20to%20Log%20Analytics%20Workspace%2C%20and%20create%20alerts%20for%20these%20events.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExample%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdanielchronlund.com%2F2020%2F01%2F22%2Fmonitor-your-azure-ad-break-glass-accounts-with-azure-monitor%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EMonitor%20your%20Azure%20AD%20Break%20Glass%20Accounts%20with%20Azure%20Monitor%20%E2%80%93%20Daniel%20Chronlund%20Cloud%20Tech%20Blog%20(da...%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20a%20KQL%20example%20for%20enabled%20accounts%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EAuditLogs%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BOperationName%20%3D%3D%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Enable%20account%22%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi community

Has anyone found a way to alert admins when an account sign-in ability has been unblocked?

Thank you for any assistance.

1 Reply

@ryeurolink 

 

Yes. 

Forward your audit logs to Log Analytics Workspace, and create alerts for these events.

 

Example: Monitor your Azure AD Break Glass Accounts with Azure Monitor – Daniel Chronlund Cloud Tech Blog (da... 

 

Here is a KQL example for enabled accounts: 

 

AuditLogs
where OperationName == "Enable account"