Send an alert email upon a new event in the Azure Auth Methods | Registration and Reset log

Ian Campbell 0 Reputation points
2023-08-14T21:58:52.21+00:00

Hi folks,

I'd like to send an email to my admin team when a user in my org adds a new authentication method. These events appear in the Azure portal in: Azure Active Directory > Security > Authentication Methods > Registration & reset events. If a hacker can compromise an MFA-enabled account, then adding another device is a frequent action I've read, so I'd like to alert on that. I have used the method of streaming audit logs to an analytics workspace and setting up an alert rule to email, but here I'm not sure if these authentication methods logs can be streamed to an analytics workspace. I'm not sure what category of log to stream in Azure Active Directory > Diagnostic Settings. Can anyone propose a method of accomplishing this? Thanks!

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
7,263 questions
Azure Stream Analytics
Azure Stream Analytics
An Azure real-time analytics service designed for mission-critical workloads.
361 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,308 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 108.8K Reputation points MVP
    2023-08-15T15:16:24.01+00:00

    You're on the right path, the category you need is the generic AuditLogs one.

    An alternative is using MDCA's activity policies as detailed here: https://learn.microsoft.com/en-us/defender-cloud-apps/user-activity-policies


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.