Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,406 questions
Where do I manage old audit activity alerts?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 89%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGK%3C/text%3E%3C/svg%3E)
Gurpreet Kaur Gill
0
Reputation points
I have an activity alert setup for an ACCOUNT A and was later changed for ACCOUNT B but we still receive alert for ACCOUNT A.
I have checked everywhere and there is no alert setup for account A
How can I find it?
Tried Powershell too but not much luck as most of the commands are not recognized
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 61%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
phemanth 13,905 Reputation points Microsoft Vendor2025-01-31T04:28:51.5066667+00:00 Thanks for reaching out to Microsoft Q&A.
Please check the below steps and confirm us.
Microsoft 365 Compliance Center:
- Navigate to the Microsoft 365 Compliance Center.
- Go to Policies > Alert policies. Here, you can view and manage all alert policies.
Using PowerShell:
- Ensure you are connected to the Security & Compliance Center (SCC) endpoint.
- Use the
Get-ActivityAlertcmdlet to list all activity alerts. This might help you identify any lingering alerts for ACCOUNT A.
Microsoft Purview Compliance Manager:
- In the Microsoft Purview Compliance Manager, go to the Alerts page to view all generated alerts and their details.
- Check the Policies page to see all alert policies and manage them accordingly.
I hope the above steps will resolve the issue, please do let us know if issue persists. Thank you
-
Gurpreet Kaur Gill 0 Reputation points
2025-01-31T16:13:58.3266667+00:00 I could not run get-activity alert from exchange/graph module
Does it belong to a different module?
-
phemanth 13,905 Reputation points Microsoft Vendor
2025-02-03T12:08:48.22+00:00 @Gurpreet Kaur Gill Yes, the
Get-ActivityAlertcmdlet belongs to the Security & Compliance Center (SCC) PowerShell module, not the Exchange or Graph modulesTo use this cmdlet, you need to connect to the Security & Compliance Center PowerShell. Here are the steps to do that:
Connect to Security & Compliance Center PowerShell:
$UserCredential = Get-Credential Connect-IPPSSession -Credential $UserCredentialRun the
Get-ActivityAlertcmdlet:Get-ActivityAlert | Format-List Disabled,Name,Description,Operation,UserId,NotifyUserThis should help you list all activity alerts and identify any lingering alerts for ACCOUNT A.
-
Gurpreet Kaur Gill 0 Reputation points
2025-02-03T17:08:58.2866667+00:00 It only lists the alerts that we have on the current activity alerts page.
-
phemanth 13,905 Reputation points Microsoft Vendor
2025-02-04T08:49:01.1266667+00:00 I understand that the
Get-ActivityAlertcmdlet is only showing the alerts currently listed on the activity alerts page. Steps to locate the lingering alert for ACCOUNT A:Check for Hidden Alerts
Sometimes alerts might be hidden or not immediately visible. You can try using the
Get-ActivityAlertcmdlet with additional filters to ensure you're not missing any:Get-ActivityAlert -ResultSize Unlimited | Where-Object { $_.UserId -eq "ACCOUNT A" }Verify Alert Policies
Ensure that there are no alert policies still configured for ACCOUNT A. You can do this by listing all alert policies and checking their configurations:
Get-AlertPolicy | Format-List Name,Enabled,Conditions,ActionsCheck Audit Logs
Review the audit logs to see if there are any entries related to alerts for ACCOUNT A. This might help you identify any lingering configurations:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) -RecordType Alert -Operations AlertTriggered -UserIds "ACCOUNT A"Reconnect to SCC PowerShell
Ensure you're properly connected to the Security & Compliance Center PowerShell:
$UserCredential = Get-Credential Connect-IPPSSession -Credential $UserCredentialI hope the above steps will resolve the issue, please do let us know if issue persists. Thank you
-
Gurpreet Kaur Gill 0 Reputation points
2025-02-07T00:41:20.0066667+00:00 it came blank for said account (Account A)
-
phemanth 13,905 Reputation points Microsoft Vendor
2025-02-11T02:02:34.62+00:00 Please check the following steps
Check for Disabled Alerts
Sometimes alerts might be disabled but still exist in the system. You can check for disabled alerts using:
Get-ActivityAlert -ResultSize Unlimited | Where-Object { $_.UserId -eq "ACCOUNT A" -and $_.Disabled -eq $true }Verify Alert Policies Again
Ensure there are no alert policies still configured for ACCOUNT A by listing all alert policies:
Get-AlertPolicy | Format-List Name,Enabled,Conditions,ActionsCheck for Deleted Alerts
Sometimes alerts might have been deleted but still trigger notifications. You can check the audit logs for any deleted alerts:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) -RecordType Alert -Operations AlertDeleted -UserIds "ACCOUNT A"Reconnect to SCC PowerShell
Ensure you're properly connected to the Security & Compliance Center PowerShell:
$UserCredential = Get-Credential Connect-IPPSSession -Credential $UserCredentialI hope the above steps will resolve the issue, please do let us know if issue persists. Thank you
Sign in to comment
Sign in to answer