Creating Policy Alerts for Office 365 Azure Active Directory
Create custom policies to generate alerts for actions on resources that are specific to your Office 365 Azure AD (Active Directory) environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started with Policies to review available managed policies, and any custom policies that already exist, before creating a new custom policy.
You can create policies for actions and resources in Azure AD.
Note:
If you registered your Office 365 instance before April 2016, to enable the features for SharePoint and OneDrive and for Azure AD, you must reenter the Oracle CASB Cloud Service user's credentials for your registered application instance in the credentials update page. Select Applications, click the icon for the instance to display the Health Summary, and then Modify, Update Credentials.Creating Alerts for Azure AD User, Group, and Role Management
Create a policy that generates an alert for unwarranted actions related to sensitive files and folders.
You can create policies for unwarranted actions related to sensitive files and folders in Office 365 Azure Active Directory (AD). For example, a policy can be triggered and generate an alert you when someone creates a self-service tenant from a domain that you want to exclude from membership.
For instructions about how to create a policy alert for Office 365, see any of the topics for Creating Policy Alerts for Office 365 Exchange Online.
Here are the resources and actions for Azure AD that you can make the target of a policy.
| Resource | Action/Event Name | Trigger for Policies with This Resource and Action |
|---|---|---|
|
AzureAD User |
Add |
An administrator adds a user to the directory. This can be a new user in your organization, a user with an existing Microsoft account, or a user in another Azure AD directory that this administrator manages. |
|
Delete |
An administrator deletes a user from the directory. |
|
|
Update |
An administrator updates a user in the directory. The Azure AD logs should show the attributes that were updated. |
|
|
Reset user password |
An administrator resets the password for a user in the directory. |
|
|
Change user password |
An administrator changes the password for a user in the directory. |
|
|
Set force change user password |
An administrator sets the property that forces a user to change his or her password on login. |
|
|
Set license properties |
An administrator sets the license properties for a user in the directory. |
|
|
Change user license |
An administrator changes the license assigned to a user in the directory. To see what licenses were updated, look in the Azure AD logs for an "Update user" event immediately before or after this event. |
|
|
AzureAD Authentication |
Failed login |
User login failed. |
|
Login |
User logged in successfully. |
|
|
AzureAD Group |
Add group |
An administrator creates a group in the directory. This event is of interest for groups with special privileges. |
|
Update group |
An administrator updates a group in the directory. This event is of interest for groups with special privileges. |
|
|
Delete group |
An administrator deletes a group from the directory. This event is of interest for groups with special privileges. |
|
|
Add member to group |
An administrator adds a member to a group in the directory. This event is of interest for groups with special privileges. |
|
|
Remove member from group |
An administrator removes a member from a group in the directory. This event is of interest for groups with special privileges. |
|
|
AzureAD Role Events |
Add role member |
An administrator adds a user to a directory role (a set of permissions). This can be a sensitive operation if the role is highly privileged. |
|
Remove role member |
An administrator removes a user from a directory role (a set of permissions). This can be a sensitive operation if the role is highly privileged. |
|
|
Set company contact information |
An administrator sets company-level contact preferences, including email addresses for marketing and technical notifications about Microsoft Online Services. |
|
|
Directory |
Set federation settings on domain |
Update the federation settings for a domain. |
|
Verify domain |
Verify a domain in the directory. |
|
|
Verify email domain |
Do email verification of a domain in the directory. |
|
|
Set DirSyncEnabled flag on company |
Set the property that enables a directory for Azure AD Sync. |
|
|
Set Password Policy |
Set length and character constraints for user passwords. |
|
|
Set Company Information |
Update company-level information. See the Get-MsolCompanyInformation PowerShell cmdlet for more information. |
Creating Alerts for Azure AD Application and Directory Management
Create a policy that generates an alert for unwarranted actions related to sensitive files and folders.
You can create policies for actions related to application and directory management in Office 365 Azure AD (for example, when someone creates a self-service tenant from a domain that you want to exclude from membership).
For instructions about how to create a policy alert, see the topics for Creating Policy Alerts for Office 365 Exchange Online.
Here are the resources and actions for Azure AD that you can make the target of a policy.
| Resource | Action/Event Name | Trigger for Policies with This Resource and Action |
|---|---|---|
|
AzureAD Application Events |
Add service principal |
An administrator adds a service principal to the directory. A Service Principal can be tied to an application (often, the application is single sign on). A Service Principal grants the application access to resources in the directory. |
|
Remove service principal |
An administrator removes a service principal from the directory. |
|
|
Add service principal credentials |
An administrator adds authentication credentials to a service principal. After adding an application, an administrator can add a Service Principal that is tied to the application. Often, the purpose of the application is single sign-on. Adding a Service Principal grants the application access to resources in the directory. |
|
|
Remove service principal credentials |
An administrator removes authentication credentials for a service principal. |
|
|
Add delegation entry |
An administrator creates an OAuth2PermissionGrant in the directory to show the resources that each client may access and the permission level for each resource. |
|
|
Set delegation entry |
An administrator updates an OAuth2PermissionGrant in the directory. |
|
|
Remove delegation entry |
An administrator deletes an OAuth2PermissionGrant in the directory. The oauth2PermissionGrants show the resources that each client may access and the permission level for each resource. |
|
|
AzureAD Directory Events |
Add application |
An application has been added to the directory. |
|
Add partner to company |
Add a partner to the directory. |
|
|
Remove partner from company |
Remove a partner from the directory. |
|
|
Remove domain from company |
Remove a domain from the directory. |
|
|
Update domain |
Update a domain in the directory. |
|
|
Set domain authentication |
Change the default domain setting for the company. |
|
|
Set federation settings on domain |
Update the federation settings for a domain. |
|
|
Verify domain |
Verify a domain in the directory. |
|
|
Verify email domain |
Do email verification of a domain in the directory. |
|
|
Set DirSyncEnabled flag on company |
Set the property that enables a directory for Azure AD Sync. |
|
|
Set Password Policy |
Set length and character constraints for user passwords. |
|
|
Set Company Information |
Update company-level information. |