Alert if 365 account status is changed from Sign-in blocked to allowed

Copper Contributor

Hi community

Has anyone found a way to alert admins when an account sign-in ability has been unblocked?

Thank you for any assistance.

2 Replies

@ryeurolink 

 

Yes. 

Forward your audit logs to Log Analytics Workspace, and create alerts for these events.

 

Example: Monitor your Azure AD Break Glass Accounts with Azure Monitor – Daniel Chronlund Cloud Tech Blog (da... 

 

Here is a KQL example for enabled accounts: 

 

AuditLogs
where OperationName == "Enable account"
Start by tapping into Office 365 Audit Logs. Flip on unified audit logging, and send those logs straight to your SIEM or log analytics platform. Craft an alert for "User signed in to mailbox" with a previously blocked account as your target. This signals that a once-restricted account is now in action.

Now, shift gears to Azure Active Directory Sign-In Logs. Stream these logs to your SIEM or analytics platform and set up an alert for any sign-in attempts from a previously blocked account. A fresh sign-in event points to the block being lifted.

For some automation finesse, consider Power Automate. Set up a flow on a schedule, keeping an eye on the BlockCredential status of those high-risk accounts. If there's a shift from True to False, trigger an email or Teams alert to keep administrators in the loop.

Remember, the key here is comparing the current state with a known blocked state to catch any changes. And don't forget to log and alert on admin actions, like unblocking an account