MFA - Tracking Registration & Changes to Setup

%3CLINGO-SUB%20id%3D%22lingo-sub-572999%22%20slang%3D%22en-US%22%3EMFA%20-%20Tracking%20Registration%20%26amp%3B%20Changes%20to%20Setup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-572999%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%202%20part%20question%20regarding%20MFA%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20currently%20rolling%20it%20out%20to%20the%20organisation%20I%20work%20for%20and%20I'm%20hoping%20to%20get%20an%20email%20alert%20every%20time%20someone%20completes%20the%20registration%20process%20and%20is%20set%20up%2C%20and%20conversely%20an%20alert%20if%20someone%20is%20removed%20from%20the%20MFA%20system.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20second%20alert%20I'm%20after%20is%20if%20a%20different%20device%20is%20configured%20within%20the%20MFA%20registration%20settings%20to%20receive%20SMS%20messaging%20or%20linked%20to%20the%20Microsoft%20Authentication%20App%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20convinced%20there's%20a%20way%20to%20achieve%20this%20through%20the%20Cloud%20Application%20Security%20Centre%20as%20you%20can%20configure%20policies%20to%20trigger%20alerts%20for%20specific%20events%2C%20but%20I%20cannot%20figure%20out%20which%20ones%20in%20particular%20I%20need%20to%20set%20up%20monitoring%20for%20to%20trigger%20the%20email.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-572999%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EChange%20Alerts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-575906%22%20slang%3D%22en-US%22%3ERe%3A%20MFA%20-%20Tracking%20Registration%20%26amp%3B%20Changes%20to%20Setup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-575906%22%20slang%3D%22en-US%22%3E%3CP%3EThere's%20no%20such%20built-in%20functionality%2C%20but%20you%20can%20configure%20an%20Alert%20policy%20and%20attach%20it%20to%20the%20corresponding%20audit%20event.%20Do%20note%20that%20it%20will%20fire%20up%20for%20other%20%22Update%20user%22%20events.%20More%20info%20here%3A%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Falert-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Falert-policies%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20need%20to%20scope%20down%20the%20alert%20to%20just%20this%20specific%20action%2C%20and%20the%20device%20configured%2C%20your%20only%20option%20is%20to%20write%20a%20PowerShell%20script%20that%20periodically%20reads%20this%20data%20for%20all%20users%20and%20sends%20you%20an%20email.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hi everyone,

 

I have a 2 part question regarding MFA:

 

I'm currently rolling it out to the organisation I work for and I'm hoping to get an email alert every time someone completes the registration process and is set up, and conversely an alert if someone is removed from the MFA system.

 

The second alert I'm after is if a different device is configured within the MFA registration settings to receive SMS messaging or linked to the Microsoft Authentication App

 

I'm convinced there's a way to achieve this through the Cloud Application Security Centre as you can configure policies to trigger alerts for specific events, but I cannot figure out which ones in particular I need to set up monitoring for to trigger the email.

1 Reply
Highlighted

There's no such built-in functionality, but you can configure an Alert policy and attach it to the corresponding audit event. Do note that it will fire up for other "Update user" events. More info here: 

https://docs.microsoft.com/en-us/office365/securitycompliance/alert-policies

 

If you need to scope down the alert to just this specific action, and the device configured, your only option is to write a PowerShell script that periodically reads this data for all users and sends you an email.