How to configure email notifications for Microsoft Entra Health monitoring alerts (preview)

Microsoft Entra Health provides tenant-level metrics and health signals for several key identity scenarios. These signals are fed into an anomaly detection service, which triggers alerts when significant changes are detected. You can configure email notifications for when an alert is triggered.

This article describes how to configure email notifications for Microsoft Entra Health monitoring alerts.

Important

Microsoft Entra Health scenario monitoring and alerts are currently in PREVIEW. This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

Prerequisites

There are different roles, permissions, and license requirements to view health monitoring signals and configure and receive alerts. We recommend using a role with least privilege access to align with the Zero Trust guidance.

• A tenant with a Microsoft Entra P1 or P2 license is required to view the Microsoft Entra health scenario monitoring signals.
• A tenant with both a Microsoft Entra P1 or P2 license and at least 100 monthly active users is required to view alerts and receive alert notifications.
• The Reports Reader role is the least privileged role required to view scenario monitoring signals, alerts, and alert configurations.
• The Helpdesk Administrator is the least privileged role required to update alerts and update alert notification configurations.
• The HealthMonitoringAlert.Read.All permission is required to view the alerts using the Microsoft Graph API.
• The HealthMonitoringAlert.ReadWrite.All permission is required to view and modify the alerts using the Microsoft Graph API.
• For a full list of roles, see Least privileged role by task.

Known limitations

• Newly onboarded tenants might not have enough data to generate alerts for about 30 days.
• Currently, alerts are only available with the Microsoft Graph API.

Determine email notification recipients

With the Microsoft Graph health monitoring alerts API, you can run the API calls on a regular cadence (for example, daily or hourly) and configure email notifications for when an alert is triggered. We recommend daily monitoring of the scenario monitoring signals and alerts.

Email notifications are sent to the Microsoft Entra group of your choice. We recommend sending alerts to users with the appropriate access to investigate and take action on the alerts. Not every role can take the same action, so consider including a group with the following roles:

• Security Reader
• Security Administrator
• Intune Administrator
• Conditional Access Administrator

Configure the email notifications

To configure alert notifications, you need the ID of the Microsoft Entra group you want to receive the alerts AND the scenario alert ID. You can configure different groups to receive alerts for different alert scenarios.

Locate the group's Object ID

1. Sign in to the Microsoft Entra admin center as at least a User Administrator.

2. Browse to Groups > All groups > and select the group you want to receive the alerts.

3. Select Properties and copy the Object ID of the group.

   

Locate the scenario alert type

1. Sign in to Microsoft Graph Explorer as at least a Helpdesk Administrator and consent to the appropriate permissions.

2. Select GET as the HTTP method from the dropdown and set the API version to beta.

3. Run the following query to retrieve the list of alerts for your tenant.

   GET https://graph.microsoft.com/beta/reports/healthMonitoring/alerts
   

4. Locate and save the alertType of the alert you want to be notified about, for example alertType: "mfaSignInFailure.

Configure the email notifications

In Microsoft Graph Explorer, run the following PATCH query to configure email notifications for alerts.

• Replace {alertType} with the specific alertType you want to configure.
• Replace Object ID of the group with the Object ID of the group you want to receive the alerts.
• For more information, see configure email notifications for alerts.

PATCH https://graph.microsoft.com/beta/reports/healthMonitoring/alertConfigurations/{alertType}
Content-Type: application/json

{
  "emailNotificationConfigurations": [
    {
      "groupId":"Object ID of the group",
      "isEnabled": true
    }
  ]
}

Next steps

• How to investigate Microsoft Entra Health alerts