Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Auditing/Configuring the Rules/Notifications/Alert email addresses

Brass Contributor

Hey there! 
I am trying to find a way to audit (and hopefully configure!) the Defender notification emails to make sure they are configured to send to our helpdesk, so it can start our ticketing process.

Short of creating a custom application, and trying to subscribe or poll manually across every tenant, the best I have found so far is manually opening these for every separate customer to try and setup the settings

So starting from for each customer, going to Settings, and following the mentioned path, or navigating to the URL on the right in turn with each customer tenantID filled in



Incident NotifsM365 Defender > Email Notifs > Incidents<EachCustomerTenantID>
ActionsM365 Defender > Email Notifs > Actions<EachCustomerTenantID>
Threat AnalyticsM365 Defender > Email Notifs > Threat Analytics<EachCustomerTenantID>
Alert Tuning/SuppressionM365 Defender > Alert Tuning<EachCustomerTenantID>
Endpoint AlertsEndpoints > Email Notifications > Alerts<EachCustomerTenantID>
Endpoint VulnerabilitiesEndpoints > Email Notifications > Vulnerabilities<EachCustomerTenantID>
Identity Health NotifsMicrosoft Defender for Identity > Health Issues<EachCustomerTenantID>
Identity AlertsMicrosoft Defender for Identity > Alert<EachCustomerTenantID>
1 Reply
I can easily get Incidents or Alerts for a specific tenant, even across tenants through DAP/GDAP/CSP rights. However - rather than querying hundreds of tenants, or trying to set up WebHook subscriptions or similar for them - I was going to just start with Auditing (and possibly manually configuring) the Notification Emails and Alerts to send an email to our ticketing system that we could follow up on.

However, I can't find any PowerShell commands or API where I can access these notification settings (access the actual ALERTS themselves, no problem, but not audit the actual Notification Configuration on more than an individual Alert/Incident level)

The backend of uses private API endpoints like

thumbnail image 9 of blog post titled

Identity Protection alerts now available in Microsoft 365 Defender

or as an example for Incident Notifications.

The list in my previous post is the URLs that you access as the Administrator to configure these by hand, but I am hoping to find a way to get API/Programmatic/Scripted access to these values - but I cannot find any (public) API that seems to access them