Forum Discussion
How to Create Alerts for New Global Admins/Privileged access accounts
Hello Microsoft Community,
I'm looking for guidance on setting up alerts whenever a new Global Admins or Privileged access account.
Im not trying to look for a PIM scenario.
Try below:
- Enable Azure AD Diagnostic Logs:
- Go to the Azure portal.
- Navigate to Azure Active Directory > Audit logs.
- Enable diagnostic settings to send logs to a Log Analytics workspace.
- Create a Log Analytics Workspace:
- If you don't have one, create a Log Analytics workspace in the Azure portal.
- Write a Kusto Query:
- Use a Kusto query to filter for specific events related to Global Admin or Privileged access account assignments. For example:
AuditLogs | where ActivityDisplayName == "Add member to role" | where TargetResources contains "Global Administrator" or TargetResources contains "Privileged Role Administrator"
- Use a Kusto query to filter for specific events related to Global Admin or Privileged access account assignments. For example:
- Set Up Alerts:
- In the Log Analytics workspace, create an alert rule based on the Kusto query.
- Go to Alerts > New alert rule.
- Define the condition using your Kusto query.
- Set the alert logic (e.g., when the query returns more than 0 results).
- Configure the action group to send notifications via email, SMS, or other methods.
- Enable Azure AD Diagnostic Logs:
