How to configure email notifications for Microsoft Entra Health monitoring alerts (preview)

Microsoft Entra Health provides tenant-level metrics and health signals for several key identity scenarios. These signals are fed into an anomaly detection service, which triggers alerts when significant changes are detected. You can configure email notifications for when an alert is triggered.

This article describes how to configure email notifications for Microsoft Entra Health monitoring alerts.

Important

Microsoft Entra Health scenario monitoring and alerts are currently in PREVIEW. This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here. The Microsoft Entra admin center experience is being released to customers in phases, so you might not see all the features described in this article.

Prerequisites

There are different roles, permissions, and license requirements to view health monitoring signals and configure and receive alerts. We recommend using a role with least privilege access to align with the Zero Trust guidance.

• A tenant with a Microsoft Entra P1 or P2 license is required to view the Microsoft Entra health scenario monitoring signals.
• A tenant with both a non-trial Microsoft Entra P1 or P2 license and at least 100 monthly active users is required to view alerts and receive alert notifications.
• The Reports Reader role is the least privileged role required to view scenario monitoring signals, alerts, and alert configurations.
• The Helpdesk Administrator is the least privileged role required to update alerts and update alert notification configurations.
• The HealthMonitoringAlert.Read.All permission is required to view the alerts using the Microsoft Graph API.
• The HealthMonitoringAlert.ReadWrite.All permission is required to view and modify the alerts using the Microsoft Graph API.
• For a full list of roles, see Least privileged role by task.

Note

Newly onboarded tenants might not have enough data to generate alerts for about 30 days.

Determine email notification recipients

We recommend daily review of the Microsoft Entra Health monitoring scenarios so you're familiar with the baseline metrics and so you can identify trends. It's important to also configure email notifications for when an alert is triggered.

Email notifications are sent to the Microsoft Entra group of your choice. We recommend sending alerts to users with the appropriate access to investigate and take action on the alerts. Not every role can take the same action, so consider including a group with the following roles:

• Security Reader
• Security Administrator
• Intune Administrator
• Conditional Access Administrator

Configure the email notifications

Email notification settings can be configured for each scenario in the Microsoft Entra admin center or using the Microsoft Graph API.

Microsoft Entra admin center

1. Sign in to the Microsoft Entra admin center as at least a Helpdesk Administrator.

2. Browse to Identity > Monitoring & health > Health and select the Health monitoring tab.

3. Select the scenario you want to configure email notifications for.

   

4. From the Group alert notifications section, select either the +Select or Edit button.

   • If no group is selected, the +Select button is displayed.
   • If a group is already selected, the Edit button is displayed.

   

5. From the panel that opens, select the group you want to receive the alerts and select the Select button.

   • Only one group can be selected.
   • The group is updated in the Group alert notifications section of the scenario page.

Members of the selected group will receive an email notification the next time an alert is triggered for the scenario. Repeat this process for the other scenarios.

Note

If the selected group has other groups added as members of that group, the notifications are sent to only the top three groups in the hierarchy.

Microsoft Graph API

To configure alert notifications, you need the ID of the Microsoft Entra group you want to receive the alerts AND the scenario alert ID.

Locate the group's Object ID

From the Microsoft Entra admin center:

1. Sign in to the Microsoft Entra admin center as at least a User Administrator.

2. Browse to Groups > All groups > and select the group you want to receive the alerts.

3. Select Properties and copy the Object ID of the group.

   

Using the Microsoft Graph API:

1. Sign in to Microsoft Graph Explorer as at least a Helpdesk Administrator and consent to the appropriate permissions.

2. Select GET as the HTTP method from the dropdown and set the API version to v1.0.

3. Run the following query to retrieve the list of alerts for your tenant.

   GET https://graph.microsoft.com/v1.0/groups
   

4. Locate and save the id of the group you want to receive the alerts.

Locate the scenario alert type

1. Select GET as the HTTP method from the dropdown and set the API version to beta.

2. Run the following query to retrieve the list of alerts for your tenant.

   GET https://graph.microsoft.com/beta/reports/healthMonitoring/alerts
   

3. Locate and save the alertType of the alert you want to be notified about, for example alertType: "mfaSignInFailure.

Configure the email notifications

In Microsoft Graph Explorer, run the following PATCH query to configure email notifications for alerts.

• Replace {alertType} with the specific alertType you want to configure.
• Replace Object ID of the group with the Object ID of the group you want to receive the alerts.
• For more information, see configure email notifications for alerts.

PATCH https://graph.microsoft.com/beta/reports/healthMonitoring/alertConfigurations/{alertType}
Content-Type: application/json

{
  "emailNotificationConfigurations": [
    {
      "groupId":"Object ID of the group",
      "isEnabled": true
    }
  ]
}

Note

If the selected group has other groups added as members of that group, the notifications are sent to only the top three groups in the hierarchy.