Current Office 365 / Entra ID Alert Policies

Within InfraSOS, you can enable the following alerts for your Office 365 tenants as part of our Office 365 monitoring:

1. Admins forced user password reset.

Creates an alert when an administrator forces a password reset for a user in Entra ID.

Events will be created based on the Entra ID Directory Audit Logs records that match the following Graph API filter:

(activityDisplayName eq 'Reset password (by admin)' OR activityDisplayName eq 'Reset user password') AND result eq 'success'

The “Reset user password” activities fit only if initiated by the user.

✅ User Filter support 

✅ Group filter support 

2. Unusual volume of admins' login failures.

Creates an alert when an unusual volume of administrator login failures is detected, compared to the same day in the previous week. An alert event is generated if the number of failed logins today is greater than or equal to the number of failed logins on the same day of the previous week. The generated event includes detailed information about all failed logins for both today and the compared day. A user with only eligible administrator roles is considered an administrator ONLY when at least one of those roles is active. Otherwise, the user is not treated as an administrator. 

All unsuccessful Interactive and Non-Interactive login attempts are taken into account according to Entra ID Sign Ins Audit Logs.

✅ User Filter support 

✅ Group filter support 

3. Sign ins from anonymous IP address.

Creates an alert when a user sign-in is detected from an anonymous IP address within the organization. These IP addresses are commonly used by actors attempting to hide sign-in information (such as IP address, location, device, and more) and may indicate potentially malicious activity. 

All Interactive and Non-Interactive login attempts that match the following Microsoft Graph API filter are taken into account, based on Entra ID Sign-In audit logs.

riskEventTypes_v2/any(t: t eq 'anonymizedIPAddress')

✅ User Filter support 

✅ Group filter support 

4. Blocked user attempted to login.

When sign-in blocked users try to login, create an alert with a list of all attempted users with their login details such as location, device, etc.

Events will be created based on the Entra ID Sign Ins Audit Logs records that match the following Graph API filter:

status/errorCode eq 50057

✅ User Filter support 

✅ Group filter support 

5. Re-enabling blocked user accounts.

Creates an alert whenever an admin enables any of the previously disabled/blocked user accounts in Entra ID.

Events will be created based on the Entra ID Directory Audit Logs records that match the following Graph API filter:

activityDisplayName eq 'Enable account' AND result eq 'success'

✅ User Filter support 

✅ Group filter support 

6. Admin consent to applications.

Creates an alert when consent is granted to any application by an admin in Entra ID.

Events will be created based on the Entra ID Directory Audit Logs records that match the following Graph API filter:

activityDisplayName eq 'Consent to application' AND result eq 'success'

❌ User Filter support 

❌ Group filter support 

7. Elevation of administrative privilege.

Creates an alert when a user, group or service principal gets added to any of the administrative roles in Entra ID. A role is considered administrative if its name contains the word “administrator”. Both built-in and custom roles are taken into account. 

Events can be generated based on Entra ID Directory Audit Logs records that match the following Microsoft Graph API filter (when the role is considered administrative):

(activityDisplayName eq 'Add member to role' OR activityDisplayName eq 'Add eligible member to role' OR activityDisplayName eq 'Add EligibleRoleAssignement to RoleDefinition' OR activityDisplayName eq 'Add role assignment to role definition') AND result eq 'success'

* In the “Add EligibleRoleAssignement to RoleDefinition” activity, you may notice a misspelling in the word “Assignement.” This is expected behavior: the Microsoft Graph API returns the activity name with this misspelling, while it is spelled correctly in the official documentation.

✅ User Filter support 

✅ Group filter support 

8. Elevation of Global admin privilege.

Creates an alert when a user, group or service principal gets added to any of the administrative roles in Entra ID. 

Events will be generated based on Entra ID Directory Audit Logs records that match the following Microsoft Graph API filter if the target role is Global Administrator (62e90394-69f5-4237-9190-012177145e10):

(activityDisplayName eq 'Add member to role' OR activityDisplayName eq 'Add eligible member to role') AND result eq 'success'

✅ User Filter support 

✅ Group filter support 

9. New Group Creation.

Creates an alert when a new Group is created in Entra ID / M365.

Events will be created based on the Entra ID Directory Audit Logs records that match the following Graph API filter:

activityDisplayName eq 'Add group' AND result eq 'success'

❌ User Filter support 

❌ Group filter support 

10. New User Creation.

Create an alert when a new Entra ID user is created.

Events will be created based on the Entra ID Directory Audit Logs records that match the following Graph API filter:

activityDisplayName eq 'Add user' AND result eq 'success'

❌ User Filter support 

❌ Group filter support 

11. Risky sign-ins detected.

Creates an alert if a risky sign-in is detected for a user in the organization. 

All Interactive and Non-Interactive login attempts with any risk state except “none” that match the following Microsoft Graph API filter are taken into account, based on Entra ID Sign-In audit logs.

riskState ne 'none'

✅ User Filter support 

✅ Group filter support 

12. Unlikely travel risk detections.

Creates an alert if an impossible travel risk is detected for any users in the organization with their location. This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations might also be atypical for the user, given past behavior. The algorithm takes into account multiple factors including the time between the two sign-ins and the time it would take for the user to travel from the first location to the second. This risk might indicate that a different user is using the same credentials. 

Note: Microsoft license requirement for this alert policy: Microsoft Entra ID P2

All Interactive and Non-Interactive login attempts that match the following Microsoft Graph API filter are taken into account, based on Entra ID Sign-In audit logs.

riskEventTypes_v2/any(t: t eq 'unlikelyTravel')

✅ User Filter support 

✅ Group filter support