Alert if 365 account status is changed from Sign-in blocked to allowed

Occasional Contributor

Hi community

Has anyone found a way to alert admins when an account sign-in ability has been unblocked?

Thank you for any assistance.

1 Reply




Forward your audit logs to Log Analytics Workspace, and create alerts for these events.


Example: Monitor your Azure AD Break Glass Accounts with Azure Monitor – Daniel Chronlund Cloud Tech Blog (da... 


Here is a KQL example for enabled accounts: 


where OperationName == "Enable account"