O365 and Azure Active Directory Configuration changes

%3CLINGO-SUB%20id%3D%22lingo-sub-1687604%22%20slang%3D%22en-US%22%3EO365%20and%20Azure%20Active%20Directory%20Configuration%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1687604%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20curious%20to%20find%20out%20all%20the%20O365%20and%20Azure%20AD%20security%20monitoring%20alerts%2C%20specially%20configuration%20changes.%20There%20are%20alert%20policies%20you%20can%20set%20up%20on%20Security%20and%20Compliance%20center%2C%20for%20example%20%22Added%20to%20member%20role%22%20alert.%20my%20question%20is%20how%20do%20you%20monitor%20all%20configuration%20changes%3F%20for%20example%2C%20one%20exchange%20administrator%20make%20changes%20to%20default%20MRM%20policy.%20Can%20I%20create%20an%20alert%20for%20this%3F%20so%20rest%20of%20the%20team%20knows%20there%20is%20a%20change%20made.%20There%20are%20no%20out%20of%20the%20box%20policies%20for%20such%2C%20so%20can%20I%20use%20Security%20Graph%20API%20for%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1687604%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1721280%22%20slang%3D%22en-US%22%3ERe%3A%20O365%20and%20Azure%20Active%20Directory%20Configuration%20changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1721280%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F799850%22%20target%3D%22_blank%22%3E%40shakxeon%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20most%20complete%2C%20'single%20pane'%20view%2C%20I'd%20recommend%20Cloud%20App%20Security%20ingesting%20365%20and%20AAD%20logs%20or%20perhaps%20Azure%20Sentinel%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

I am curious to find out all the O365 and Azure AD security monitoring alerts, specially configuration changes. There are alert policies you can set up on Security and Compliance center, for example "Added to member role" alert. my question is how do you monitor all configuration changes? for example, one exchange administrator make changes to default MRM policy. Can I create an alert for this? so rest of the team knows there is a change made. There are no out of the box policies for such, so can I use Security Graph API for this?

1 Reply

@shakxeon 

For the most complete, 'single pane' view, I'd recommend Cloud App Security ingesting 365 and AAD logs or perhaps Azure Sentinel?