You're on the right path, the category you need is the generic AuditLogs one.
An alternative is using MDCA's activity policies as detailed here: https://learn.microsoft.com/en-us/defender-cloud-apps/user-activity-policies
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi folks,
I'd like to send an email to my admin team when a user in my org adds a new authentication method. These events appear in the Azure portal in: Azure Active Directory > Security > Authentication Methods > Registration & reset events. If a hacker can compromise an MFA-enabled account, then adding another device is a frequent action I've read, so I'd like to alert on that. I have used the method of streaming audit logs to an analytics workspace and setting up an alert rule to email, but here I'm not sure if these authentication methods logs can be streamed to an analytics workspace. I'm not sure what category of log to stream in Azure Active Directory > Diagnostic Settings. Can anyone propose a method of accomplishing this? Thanks!
You're on the right path, the category you need is the generic AuditLogs one.
An alternative is using MDCA's activity policies as detailed here: https://learn.microsoft.com/en-us/defender-cloud-apps/user-activity-policies