LOG-05HighEnhanced Security

Admin Activity Anomaly Detection

Logging & Visibility control for Microsoft 365 and Entra ID

Why This Control Matters

Compromised admin accounts often exhibit unusual patterns: signing in from new locations, performing bulk operations, or working at unusual hours. Detecting these anomalies enables early response to account compromise.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Unusual admin behaviors trigger alerts
2New sign-in locations for admins are flagged
3Bulk operations by admins are monitored
4Off-hours admin activity is tracked

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Manual Only

Requires Identity Protection or SIEM with correlation rules

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.