Home

Email alerts for modifications made to Azure AD Security group

%3CLINGO-SUB%20id%3D%22lingo-sub-212106%22%20slang%3D%22en-US%22%3EEmail%20alerts%20for%20modifications%20made%20to%20Azure%20AD%20Security%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212106%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%20%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%20We're%20planning%20to%20create%20an%20Azure%20AD%20Security%20group%20which%20would%20have%20high%20priviliges%20on%20all%20the%20SharePoint%20Online%20site%20collections%20and%20I'm%20looking%20for%20a%20way%20to%20receive%20email%20alerts%20for%20all%20the%20modifications%20made%20to%20this%20group%20(%20addition%20and%20deletion%20of%20members%20)%20.%20We%20would%20like%20to%20receive%20these%20email%20alerts%20to%20a%20specific%20DL%20.%20Could%20someone%20please%20guide%20me%20on%20how%20to%20achieve%20this%20%3F%20I%20guess%20a%20SIEM%20or%20a%20CASB%20can%20help%20here%20but%20do%20we%20have%20something%20inhouse%20in%20Office%20365%20that%20can%20do%20the%20trick%20%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-212106%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-212503%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20alerts%20for%20modifications%20made%20to%20Azure%20AD%20Security%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212503%22%20slang%3D%22en-US%22%3E%3CP%3EI%20believe%20this%20article%20is%20incorrect%2C%20as%20in%20my%20E1%20test%20tenant%20I%20don't%20have%20any%20way%20to%20create%20Alert%20policies.%20I%20can%20still%20create%20Activity%20alerts%20via%20the%20URL%20I%20linked%20above%2C%20but%20for%20Activity%20policies%20you%20will%20need%20E5%20or%20the%20standalone%20Office%20365%20Threat%20Intelligence%20or%20Office%20365%20Advanced%20Compliance%20licenses.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-212410%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20alerts%20for%20modifications%20made%20to%20Azure%20AD%20Security%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212410%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20the%20answer%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E.%20Could%20you%20please%20explain%20on%20additional%20licensing%20required%20for%20this%20Alerts%3F.%3CBR%20%2F%3EIn%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Falert-policies-in-the-office-365-security-compliance-center-8927b8b9-c5bc-45a8-a9f9-96c732e58264%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%2C%20I%20could%20see%20default%20alert%20policies%20requires%20E1%20or%20E3%20or%20E5%20subscription.%20Does%20this%20mean%20alerting%20functionalities%20requires%20additional%20licensing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-212193%22%20slang%3D%22en-US%22%3ERe%3A%20Email%20alerts%20for%20modifications%20made%20to%20Azure%20AD%20Security%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-212193%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20general%20you%20should%20be%20able%20to%20configure%20an%20Activity%20alert%20(%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2F%23%2Fmanagealerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office.com%2F%23%2Fmanagealerts%3C%2FA%3E).%20However%2C%20Microsoft%20has%20removed%20the%20%22new%22%20button%20and%20instead%20is%20forcing%20you%20to%20use%20the%20%22Activity%20policies%22%20functionality%2C%20which%20requires%20additional%20licensing...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20I%20guess%20the%20answer%20will%20be%20to%20build%20your%20own%20solution%20that%20periodically%20examines%20the%20unified%20audit%20log%20for%20any%20events%20related%20to%20the%20security%20group(s)%20in%20question%20and%20sends%20email%20notifications%20accordingly.%20Some%20third-party%20tools%20can%20offer%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Hi All ,

  We're planning to create an Azure AD Security group which would have high priviliges on all the SharePoint Online site collections and I'm looking for a way to receive email alerts for all the modifications made to this group ( addition and deletion of members ) . We would like to receive these email alerts to a specific DL . Could someone please guide me on how to achieve this ? I guess a SIEM or a CASB can help here but do we have something inhouse in Office 365 that can do the trick ? 

3 Replies

In general you should be able to configure an Activity alert (https://protection.office.com/#/managealerts). However, Microsoft has removed the "new" button and instead is forcing you to use the "Activity policies" functionality, which requires additional licensing...

 

So I guess the answer will be to build your own solution that periodically examines the unified audit log for any events related to the security group(s) in question and sends email notifications accordingly. Some third-party tools can offer this.

Thank you for the answer @Vasil Michev. Could you please explain on additional licensing required for this Alerts?.
In this article, I could see default alert policies requires E1 or E3 or E5 subscription. Does this mean alerting functionalities requires additional licensing?

I believe this article is incorrect, as in my E1 test tenant I don't have any way to create Alert policies. I can still create Activity alerts via the URL I linked above, but for Activity policies you will need E5 or the standalone Office 365 Threat Intelligence or Office 365 Advanced Compliance licenses.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Dev channel update to 80.0.355.1 is live
josh_bodner in Discussions on
67 Replies