LOG-04: Configuring Privileged Operation Alerts
Overview
This guide walks you through configuring alerts for privileged administrative operations in Microsoft 365 and Azure AD. Monitoring administrative actions is critical for detecting insider threats, compromised admin accounts, and unauthorized configuration changes that could weaken your security posture.
Control ID: LOG-04 Category: Logging Severity: Info License Required: None (core audit log alert policies for privileged operations are available on any Microsoft 365 tier; no premium license required)
Why This Matters
Privileged operation alerts help you:
- Detect account compromise - Alert when admins perform unusual actions
- Monitor configuration drift - Know when security settings change
- Audit privileged access - Track all administrative activities
- Meet compliance requirements - Document oversight of privileged users
- Prevent insider threats - Detect unauthorized administrative access
Prerequisites
Required Roles
You need one of the following roles:
- Security Administrator
- Global Administrator
- Compliance Administrator (for alert policies)
Required Licenses
| Feature | License Required |
|---|---|
| Audit log alert policies for privileged operations | None (any Microsoft 365 tier) |
| PIM role activation alerts | Microsoft Entra ID P2 |
| Defender for Identity alerts | Microsoft Defender for Identity |
| Custom Log Analytics alerts | Azure subscription + Log Analytics |
Pre-Configuration Requirements
- Unified audit logging enabled
- PIM configured for privileged roles
- Alert notification recipients identified
- Escalation procedures documented
Time Estimate
| Task | Duration |
|---|---|
| Configure audit-based alerts | 30 minutes |
| Configure PIM notifications | 20 minutes |
| Set up Log Analytics alerts | 45 minutes |
| Test and verify | 20 minutes |
| Total | 2 hours |
Step-by-Step Instructions
Step 1: Configure PIM Role Activation Notifications
Set up notifications when admins activate privileged roles:
- Navigate to Microsoft Entra admin center
- Go to Identity Governance > Privileged Identity Management
- Click Microsoft Entra roles
- Select Roles from the menu
- Click Global Administrator (or target role)
- Click Settings > Edit
Configure Notification Settings
- Navigate to the Notification tab
- Configure the following:
Role activation notifications:
| Notification | Send to | Recommendation |
|---|---|---|
| Send notifications when members are assigned as eligible | Admins, Assignee | Enable |
| Send notifications when members are assigned as active | Admins, Assignee | Enable |
| Send notifications when eligible members activate | Admins | Enable (Critical) |
-
Under Additional recipients, add:
- Security team distribution list
- SIEM integration address (if available)
-
Click Update
Repeat for Critical Roles
Configure notifications for these privileged roles:
- Global Administrator
- Privileged Role Administrator
- Security Administrator
- Exchange Administrator
- SharePoint Administrator
- User Administrator
- Application Administrator
- Privileged Authentication Administrator
Step 2: Create Audit Log Alert Policies
Create alert policies in Microsoft Purview for administrative operations:
- Navigate to Microsoft Purview compliance portal
- Go to Solutions > Audit (or Policies & rules > Alert policy)
- Click + New alert policy
Alert Policy 1: Admin Role Assignment
-
Configure:
- Name:
Admin Role Assigned - Description:
Alerts when an administrative role is assigned - Category: Permissions
- Severity: High
- Name:
-
Under Activity conditions:
- Activities: Added member to role
- Users: All users
- Roles:
- Global Administrator
- Privileged Role Administrator
- Security Administrator
- Exchange Administrator
-
Set Threshold: Single event
-
Add notification recipients
-
Set status to On
-
Click Submit
Alert Policy 2: Exchange Transport Rule Created
-
Create new alert policy:
- Name:
Exchange Transport Rule Created - Description:
Alerts when mail flow rules are created - Category: Threat management
- Severity: High
- Name:
-
Activity conditions:
- Activities: New-TransportRule
- Users: All users
-
Add notification recipients
-
Click Submit
Alert Policy 3: Conditional Access Policy Modified
-
Create new alert policy:
- Name:
Conditional Access Policy Changed - Description:
Alerts when CA policies are modified or deleted - Category: Threat management
- Severity: High
- Name:
-
Activity conditions:
- Activities:
- Update conditional access policy
- Delete conditional access policy
- Users: All users
- Activities:
-
Add notification recipients
-
Click Submit
Alert Policy 4: Security Settings Modified
-
Create new alert policy:
- Name:
Security Settings Modified - Description:
Alerts when critical security settings change - Category: Threat management
- Severity: High
- Name:
-
Activity conditions:
- Activities:
- Set company information
- Set password policy
- Set domain authentication
- Disable account
- Users: All users
- Activities:
-
Add notification recipients
-
Click Submit
Alert Policy 5: Application Consent Granted
-
Create new alert policy:
- Name:
Application Consent Granted - Description:
Alerts when admin grants consent to an application - Category: Data governance
- Severity: Medium
- Name:
-
Activity conditions:
- Activities:
- Consent to application
- Add app role assignment grant to user
- Activities:
-
Add notification recipients
-
Click Submit
Step 3: Configure Azure Log Analytics Alerts
For more advanced alerting with custom queries:
- Navigate to Azure portal
- Go to your Log Analytics workspace
- Click Alerts > + New alert rule
Alert Rule 1: Global Admin Role Activation
- Under Condition, click Add condition
- Select Custom log search
- Enter query:
AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName == "Add member to role"
| extend RoleName = tostring(TargetResources[0].displayName)
| where RoleName == "Global Administrator"
| extend AddedUser = tostring(TargetResources[0].userPrincipalName)
| extend AddedBy = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, RoleName, AddedUser, AddedBy
-
Configure alert logic:
- Based on: Number of results
- Operator: Greater than
- Threshold: 0
- Frequency: Every 5 minutes
- Period: Last 1 hour
-
Create action group for notifications
-
Set severity to Sev 1 - Critical
-
Click Create
Alert Rule 2: Password Policy Change
AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName has_any ("Set password policy", "Update policy")
| where Category == "Policy"
| project TimeGenerated, OperationName, InitiatedBy, Result
Alert Rule 3: MFA Configuration Disabled
AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName has "authentication"
| where Result == "success"
| extend Details = tostring(TargetResources[0].modifiedProperties)
| where Details has "Disabled" or Details has "false"
| project TimeGenerated, OperationName, InitiatedBy, Details
Alert Rule 4: Bulk User Deletion
AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName == "Delete user"
| summarize DeleteCount = count() by bin(TimeGenerated, 10m), InitiatedBy = tostring(InitiatedBy.user.userPrincipalName)
| where DeleteCount > 5
Alert Rule 5: Emergency Access Account Used
SigninLogs
| where TimeGenerated > ago(24h)
| where UserPrincipalName has_any ("breakglass", "emergency", "BreakGlass")
| project TimeGenerated, UserPrincipalName, IPAddress, Location, ResultType
Step 4: Configure Microsoft Defender for Identity Alerts
If licensed for Defender for Identity:
- Navigate to Microsoft 365 Defender
- Go to Settings > Microsoft Defender for Identity
- Navigate to Notifications
- Configure alerts for:
| Alert Type | Severity | Recommendation |
|---|---|---|
| Suspicious modification of sensitive groups | High | Enable |
| Suspicious service creation | High | Enable |
| Skeleton key attack | Critical | Enable |
| DCSync attack | Critical | Enable |
| Brute-force attack | Medium | Enable |
| Abnormal modifications to sensitive groups | High | Enable |
| Reconnaissance using directory services | Medium | Enable |
- Set notification recipients
- Click Save
Step 5: Configure Microsoft Sentinel Integration (Optional)
For SIEM-level alerting:
- Navigate to Microsoft Sentinel
- Select your workspace
- Go to Configuration > Analytics
- Click + Create > Scheduled query rule
Rule: Privileged Role Assignment
-
Configure:
- Name:
Privileged Role Assignment Detected - Tactics: Persistence, Privilege Escalation
- Severity: High
- Name:
-
Enter rule query:
AuditLogs
| where OperationName has "Add member to role"
| extend RoleName = tostring(TargetResources[0].displayName)
| where RoleName in ("Global Administrator", "Privileged Role Administrator", "Security Administrator", "Exchange Administrator", "SharePoint Administrator")
| extend User = tostring(TargetResources[0].userPrincipalName)
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, OperationName, RoleName, User, Actor
-
Set query scheduling:
- Run query every: 5 minutes
- Lookup data from last: 5 minutes
-
Configure incident settings
-
Click Save
Step 6: Set Up Notification Channels
Configure multiple notification channels for critical alerts:
Email Notifications
-
Create a security alert distribution list:
security-alerts@yourdomain.com- Include SOC team, security managers
-
Add to all alert policies
Microsoft Teams Notifications
- Create a Teams channel:
Security Operations - Alerts - Add an incoming webhook connector
- Configure Power Automate flow to post alerts to Teams
SMS/Phone Notifications (On-Call)
- Use Azure Monitor action groups
- Configure SMS or voice call for critical alerts
- Integrate with on-call management tools (PagerDuty, Opsgenie)
Verification Checklist
After configuring privileged operation alerts:
- PIM role activation notifications are enabled for all critical roles
- Audit log alert policies are created and enabled
- Log Analytics alert rules are configured and tested
- Defender for Identity alerts are enabled (if licensed)
- Microsoft Sentinel rules are configured (if using)
- Notification recipients receive test alerts
- Multiple notification channels are configured
- Alert severities match organizational priorities
- Escalation procedures are documented
- On-call rotation is configured for critical alerts
Recommended Alert Matrix
| Activity | Alert Method | Severity | Response Time |
|---|---|---|---|
| Global Admin role assigned | PIM + Log Analytics | Critical | Immediate |
| Global Admin role activated | PIM notification | High | 15 minutes |
| Security setting modified | Audit alert | High | 30 minutes |
| Conditional Access policy changed | Audit alert | High | 30 minutes |
| Emergency account used | Log Analytics | Critical | Immediate |
| Bulk user deletion | Log Analytics | High | 15 minutes |
| Mail flow rule created | Audit alert | Medium | 4 hours |
| Application consent granted | Audit alert | Medium | 4 hours |
| Password policy changed | Log Analytics | High | 30 minutes |
| MFA disabled for user | Log Analytics | High | 30 minutes |
Troubleshooting
Issue: PIM Notifications Not Received
Cause: Notification settings not configured or email filtering.
Solution:
- Verify notifications are enabled in role settings
- Check additional recipients field is populated
- Verify email not in spam/junk folder
- Confirm recipient email addresses are correct
- Check if recipient has P2 license
Issue: Audit Alert Policy Not Triggering
Cause: Activity not matching conditions or delay in audit log.
Solution:
- Audit logs can take 30 minutes to 24 hours to appear
- Verify activity matches the specified conditions exactly
- Test with a known activity that should trigger
- Check if policy status is On
- Review policy conditions for typos
Issue: Too Many False Positives
Cause: Overly broad conditions or normal admin activity.
Solution:
- Narrow conditions to specific high-risk activities
- Exclude service accounts performing expected tasks
- Add suppression rules for known safe activities
- Increase thresholds for volume-based alerts
- Use aggregation to reduce duplicate alerts
Issue: Log Analytics Query Returns No Results
Cause: Table not available or query syntax error.
Solution:
- Verify Entra ID diagnostic settings are configured
- Wait for logs to flow (15-30 minutes after configuration)
- Test simpler query first:
AuditLogs | take 10 - Check field names match schema exactly
- Extend time range to find historical data
Issue: Alert Notification Delayed
Cause: Alert frequency or ingestion delays.
Solution:
- Reduce alert evaluation frequency to 5 minutes
- Audit logs may have inherent delays
- Use near-real-time alerts where available
- Consider streaming to Event Hub for faster processing
Cost Considerations
License Requirements
| Component | License | Cost |
|---|---|---|
| Basic audit alerts | Microsoft 365 E3 | Included |
| PIM notifications | Entra ID P2 | ~$9/user/month |
| Log Analytics alerts | Azure subscription | ~$2.76/GB ingestion |
| Defender for Identity | Enterprise Mobility + Security E5 | ~$14.80/user/month |
| Microsoft Sentinel | Azure subscription | ~$2.46/GB ingestion |
Optimization Tips
- Prioritize critical alerts - Focus on Global Admin and security-impacting activities
- Use native alerts first - Leverage included audit policies before Log Analytics
- Aggregate alerts - Reduce volume by grouping related events
- Archive to storage - Use cheaper storage for long-term retention
Related Controls
- LOG-01: Audit Log Retention - Ensure logs are retained for investigation
- LOG-02: Sign-In Log Export - Export logs for correlation
- LOG-03: Security Alerts - General threat detection alerts
- PA-01: Standing Global Admin - Reduce permanent privileged access
- PA-04: PIM for All Roles - Implement just-in-time access