LOG-04: Configuring Privileged Operation Alerts

Overview

This guide walks you through configuring alerts for privileged administrative operations in Microsoft 365 and Azure AD. Monitoring administrative actions is critical for detecting insider threats, compromised admin accounts, and unauthorized configuration changes that could weaken your security posture.

Control ID: LOG-04 Category: Logging Severity: Info License Required: None (core audit log alert policies for privileged operations are available on any Microsoft 365 tier; no premium license required)

Why This Matters

Privileged operation alerts help you:

  • Detect account compromise - Alert when admins perform unusual actions
  • Monitor configuration drift - Know when security settings change
  • Audit privileged access - Track all administrative activities
  • Meet compliance requirements - Document oversight of privileged users
  • Prevent insider threats - Detect unauthorized administrative access

Prerequisites

Required Roles

You need one of the following roles:

  • Security Administrator
  • Global Administrator
  • Compliance Administrator (for alert policies)

Required Licenses

FeatureLicense Required
Audit log alert policies for privileged operationsNone (any Microsoft 365 tier)
PIM role activation alertsMicrosoft Entra ID P2
Defender for Identity alertsMicrosoft Defender for Identity
Custom Log Analytics alertsAzure subscription + Log Analytics

Pre-Configuration Requirements

  • Unified audit logging enabled
  • PIM configured for privileged roles
  • Alert notification recipients identified
  • Escalation procedures documented

Time Estimate

TaskDuration
Configure audit-based alerts30 minutes
Configure PIM notifications20 minutes
Set up Log Analytics alerts45 minutes
Test and verify20 minutes
Total2 hours

Step-by-Step Instructions

Step 1: Configure PIM Role Activation Notifications

Set up notifications when admins activate privileged roles:

  1. Navigate to Microsoft Entra admin center
  2. Go to Identity Governance > Privileged Identity Management
  3. Click Microsoft Entra roles
  4. Select Roles from the menu
  5. Click Global Administrator (or target role)
  6. Click Settings > Edit

Configure Notification Settings

  1. Navigate to the Notification tab
  2. Configure the following:

Role activation notifications:

NotificationSend toRecommendation
Send notifications when members are assigned as eligibleAdmins, AssigneeEnable
Send notifications when members are assigned as activeAdmins, AssigneeEnable
Send notifications when eligible members activateAdminsEnable (Critical)
  1. Under Additional recipients, add:

    • Security team distribution list
    • SIEM integration address (if available)
  2. Click Update

Repeat for Critical Roles

Configure notifications for these privileged roles:

  • Global Administrator
  • Privileged Role Administrator
  • Security Administrator
  • Exchange Administrator
  • SharePoint Administrator
  • User Administrator
  • Application Administrator
  • Privileged Authentication Administrator

Step 2: Create Audit Log Alert Policies

Create alert policies in Microsoft Purview for administrative operations:

  1. Navigate to Microsoft Purview compliance portal
  2. Go to Solutions > Audit (or Policies & rules > Alert policy)
  3. Click + New alert policy

Alert Policy 1: Admin Role Assignment

  1. Configure:

    • Name: Admin Role Assigned
    • Description: Alerts when an administrative role is assigned
    • Category: Permissions
    • Severity: High
  2. Under Activity conditions:

    • Activities: Added member to role
    • Users: All users
    • Roles:
      • Global Administrator
      • Privileged Role Administrator
      • Security Administrator
      • Exchange Administrator
  3. Set Threshold: Single event

  4. Add notification recipients

  5. Set status to On

  6. Click Submit

Alert Policy 2: Exchange Transport Rule Created

  1. Create new alert policy:

    • Name: Exchange Transport Rule Created
    • Description: Alerts when mail flow rules are created
    • Category: Threat management
    • Severity: High
  2. Activity conditions:

    • Activities: New-TransportRule
    • Users: All users
  3. Add notification recipients

  4. Click Submit

Alert Policy 3: Conditional Access Policy Modified

  1. Create new alert policy:

    • Name: Conditional Access Policy Changed
    • Description: Alerts when CA policies are modified or deleted
    • Category: Threat management
    • Severity: High
  2. Activity conditions:

    • Activities:
      • Update conditional access policy
      • Delete conditional access policy
    • Users: All users
  3. Add notification recipients

  4. Click Submit

Alert Policy 4: Security Settings Modified

  1. Create new alert policy:

    • Name: Security Settings Modified
    • Description: Alerts when critical security settings change
    • Category: Threat management
    • Severity: High
  2. Activity conditions:

    • Activities:
      • Set company information
      • Set password policy
      • Set domain authentication
      • Disable account
    • Users: All users
  3. Add notification recipients

  4. Click Submit

Alert Policy 5: Application Consent Granted

  1. Create new alert policy:

    • Name: Application Consent Granted
    • Description: Alerts when admin grants consent to an application
    • Category: Data governance
    • Severity: Medium
  2. Activity conditions:

    • Activities:
      • Consent to application
      • Add app role assignment grant to user
  3. Add notification recipients

  4. Click Submit

Step 3: Configure Azure Log Analytics Alerts

For more advanced alerting with custom queries:

  1. Navigate to Azure portal
  2. Go to your Log Analytics workspace
  3. Click Alerts > + New alert rule

Alert Rule 1: Global Admin Role Activation

  1. Under Condition, click Add condition
  2. Select Custom log search
  3. Enter query:
AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName == "Add member to role"
| extend RoleName = tostring(TargetResources[0].displayName)
| where RoleName == "Global Administrator"
| extend AddedUser = tostring(TargetResources[0].userPrincipalName)
| extend AddedBy = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, RoleName, AddedUser, AddedBy
  1. Configure alert logic:

    • Based on: Number of results
    • Operator: Greater than
    • Threshold: 0
    • Frequency: Every 5 minutes
    • Period: Last 1 hour
  2. Create action group for notifications

  3. Set severity to Sev 1 - Critical

  4. Click Create

Alert Rule 2: Password Policy Change

AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName has_any ("Set password policy", "Update policy")
| where Category == "Policy"
| project TimeGenerated, OperationName, InitiatedBy, Result

Alert Rule 3: MFA Configuration Disabled

AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName has "authentication"
| where Result == "success"
| extend Details = tostring(TargetResources[0].modifiedProperties)
| where Details has "Disabled" or Details has "false"
| project TimeGenerated, OperationName, InitiatedBy, Details

Alert Rule 4: Bulk User Deletion

AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName == "Delete user"
| summarize DeleteCount = count() by bin(TimeGenerated, 10m), InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| where DeleteCount > 5

Alert Rule 5: Emergency Access Account Used

SigninLogs
| where TimeGenerated > ago(24h)
| where UserPrincipalName has_any ("breakglass", "emergency", "BreakGlass")
| project TimeGenerated, UserPrincipalName, IPAddress, Location, ResultType

Step 4: Configure Microsoft Defender for Identity Alerts

If licensed for Defender for Identity:

  1. Navigate to Microsoft 365 Defender
  2. Go to Settings > Microsoft Defender for Identity
  3. Navigate to Notifications
  4. Configure alerts for:
Alert TypeSeverityRecommendation
Suspicious modification of sensitive groupsHighEnable
Suspicious service creationHighEnable
Skeleton key attackCriticalEnable
DCSync attackCriticalEnable
Brute-force attackMediumEnable
Abnormal modifications to sensitive groupsHighEnable
Reconnaissance using directory servicesMediumEnable
  1. Set notification recipients
  2. Click Save

Step 5: Configure Microsoft Sentinel Integration (Optional)

For SIEM-level alerting:

  1. Navigate to Microsoft Sentinel
  2. Select your workspace
  3. Go to Configuration > Analytics
  4. Click + Create > Scheduled query rule

Rule: Privileged Role Assignment

  1. Configure:

    • Name: Privileged Role Assignment Detected
    • Tactics: Persistence, Privilege Escalation
    • Severity: High
  2. Enter rule query:

AuditLogs
| where OperationName has "Add member to role"
| extend RoleName = tostring(TargetResources[0].displayName)
| where RoleName in ("Global Administrator", "Privileged Role Administrator", "Security Administrator", "Exchange Administrator", "SharePoint Administrator")
| extend User = tostring(TargetResources[0].userPrincipalName)
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, OperationName, RoleName, User, Actor
  1. Set query scheduling:

    • Run query every: 5 minutes
    • Lookup data from last: 5 minutes
  2. Configure incident settings

  3. Click Save

Step 6: Set Up Notification Channels

Configure multiple notification channels for critical alerts:

Email Notifications

  1. Create a security alert distribution list:

    • security-alerts@yourdomain.com
    • Include SOC team, security managers
  2. Add to all alert policies

Microsoft Teams Notifications

  1. Create a Teams channel: Security Operations - Alerts
  2. Add an incoming webhook connector
  3. Configure Power Automate flow to post alerts to Teams

SMS/Phone Notifications (On-Call)

  1. Use Azure Monitor action groups
  2. Configure SMS or voice call for critical alerts
  3. Integrate with on-call management tools (PagerDuty, Opsgenie)

Verification Checklist

After configuring privileged operation alerts:

  • PIM role activation notifications are enabled for all critical roles
  • Audit log alert policies are created and enabled
  • Log Analytics alert rules are configured and tested
  • Defender for Identity alerts are enabled (if licensed)
  • Microsoft Sentinel rules are configured (if using)
  • Notification recipients receive test alerts
  • Multiple notification channels are configured
  • Alert severities match organizational priorities
  • Escalation procedures are documented
  • On-call rotation is configured for critical alerts

Recommended Alert Matrix

ActivityAlert MethodSeverityResponse Time
Global Admin role assignedPIM + Log AnalyticsCriticalImmediate
Global Admin role activatedPIM notificationHigh15 minutes
Security setting modifiedAudit alertHigh30 minutes
Conditional Access policy changedAudit alertHigh30 minutes
Emergency account usedLog AnalyticsCriticalImmediate
Bulk user deletionLog AnalyticsHigh15 minutes
Mail flow rule createdAudit alertMedium4 hours
Application consent grantedAudit alertMedium4 hours
Password policy changedLog AnalyticsHigh30 minutes
MFA disabled for userLog AnalyticsHigh30 minutes

Troubleshooting

Issue: PIM Notifications Not Received

Cause: Notification settings not configured or email filtering.

Solution:

  1. Verify notifications are enabled in role settings
  2. Check additional recipients field is populated
  3. Verify email not in spam/junk folder
  4. Confirm recipient email addresses are correct
  5. Check if recipient has P2 license

Issue: Audit Alert Policy Not Triggering

Cause: Activity not matching conditions or delay in audit log.

Solution:

  1. Audit logs can take 30 minutes to 24 hours to appear
  2. Verify activity matches the specified conditions exactly
  3. Test with a known activity that should trigger
  4. Check if policy status is On
  5. Review policy conditions for typos

Issue: Too Many False Positives

Cause: Overly broad conditions or normal admin activity.

Solution:

  1. Narrow conditions to specific high-risk activities
  2. Exclude service accounts performing expected tasks
  3. Add suppression rules for known safe activities
  4. Increase thresholds for volume-based alerts
  5. Use aggregation to reduce duplicate alerts

Issue: Log Analytics Query Returns No Results

Cause: Table not available or query syntax error.

Solution:

  1. Verify Entra ID diagnostic settings are configured
  2. Wait for logs to flow (15-30 minutes after configuration)
  3. Test simpler query first: AuditLogs | take 10
  4. Check field names match schema exactly
  5. Extend time range to find historical data

Issue: Alert Notification Delayed

Cause: Alert frequency or ingestion delays.

Solution:

  1. Reduce alert evaluation frequency to 5 minutes
  2. Audit logs may have inherent delays
  3. Use near-real-time alerts where available
  4. Consider streaming to Event Hub for faster processing

Cost Considerations

License Requirements

ComponentLicenseCost
Basic audit alertsMicrosoft 365 E3Included
PIM notificationsEntra ID P2~$9/user/month
Log Analytics alertsAzure subscription~$2.76/GB ingestion
Defender for IdentityEnterprise Mobility + Security E5~$14.80/user/month
Microsoft SentinelAzure subscription~$2.46/GB ingestion

Optimization Tips

  1. Prioritize critical alerts - Focus on Global Admin and security-impacting activities
  2. Use native alerts first - Leverage included audit policies before Log Analytics
  3. Aggregate alerts - Reduce volume by grouping related events
  4. Archive to storage - Use cheaper storage for long-term retention

Related Controls

  • LOG-01: Audit Log Retention - Ensure logs are retained for investigation
  • LOG-02: Sign-In Log Export - Export logs for correlation
  • LOG-03: Security Alerts - General threat detection alerts
  • PA-01: Standing Global Admin - Reduce permanent privileged access
  • PA-04: PIM for All Roles - Implement just-in-time access

Additional Resources