Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Password reset/change activity alert not working

Copper Contributor

Hello,

 

I'm trying to setup an activity alert for our break glass admin account, and I want the alert to send me an email if the password has been reset or changed. 

 

I have the alert setup the way I believe it should work, both reset user password, and change user password. It is active, I have the correct emails where they need to be, but the alert for the password reset never comes in.

 

Similarly, I've setup an activity alert to say when the user is logged in, and that one does work.

 

I've set up the password alert in both PowerShell AND GUI online. 

 

Does anyone have any ideas on what I can do to make this work?

 

Thank you!

3 Replies
Здравствуйте на сколько я помню почтой редко пользуются, для сброса пароля используют приложение
Hello Ryan,

Setting up activity alerts for critical actions like password resets for a break glass admin account is essential for maintaining security and monitoring. It's good to hear that you have successfully set up an alert for user login activities, but troubleshooting the issue with the password reset alert can be a bit more complex.

Here are some steps you can take to troubleshoot and potentially resolve the issue:
1. Check Alert Configuration: Double-check the alert configuration for both the PowerShell and the GUI setup. Ensure that the conditions are set correctly to trigger the alert for a password reset. Sometimes, minor configuration errors can lead to alerts not being triggered.

2. Review Email Settings: Verify that the email addresses configured for receiving the alerts are correct. Also, check the spam or junk folders of the email account to ensure the alerts are not being misdirected.

3. Examine Alert Triggers: Ensure that the alert is set to trigger on the exact event you are interested in. For example, there might be a difference between a password "reset" and a password "change," and your alert might be set up for one but not the other.

4. Test with Manual Trigger: Try manually resetting the password for the break glass account (if feasible) to see if the alert is triggered. This can confirm whether the issue is with the alert setup or with the event not being captured properly.

5. Check Logs and Audit Trails: Review the logs and audit trails to see if the password reset events are being logged correctly. If they are not appearing in the logs, the issue might be with the event logging rather than the alert system.

6. Update and Patch Management: Ensure that your systems, including the alert management system, are up-to-date with the latest patches and updates. Sometimes, bugs in older versions can cause such issues.

7. Consult Documentation or Support: Review the official documentation for the alert system you are using. It might have specific instructions or known issues related to password reset alerts. If the problem persists, consider reaching out to the support team for the software or service you are using.

8. Permissions and Access Control: Make sure that the account or service used to set up and manage alerts has the necessary permissions to monitor password reset events.

9. Third-Party Monitoring Tools: If all else fails, consider using a third-party monitoring tool that specializes in such alerts. These tools often provide more flexibility and detailed monitoring capabilities.

10. Community and Forums: Sometimes, community forums or user groups for the specific software or service you are using can provide insights or solutions from other users who might have faced similar issues.

Remember, when working with break glass accounts, always proceed with caution and ensure that all actions are well-documented and follow your organization's security protocols.
Hi Jose,

Thank you for your input. I'm attempting to make these alerts in the M365 Security portal via the GUI and connecting to it via PowerShell commands. I've verified that everything is setup as it should be to produce an alert.

The activity alerts section is already quite buggy and they themselves say "We are working on a better experience for you to manage and view security and compliance alerts. Go to Alert policies" But alert policies also doesn't have what I need. I think I'm stuck just waiting for Microsoft to fix their pages unfortunately.