Creating an Azure Activity Alert for new group creations

Question

I'm a little stuck.

I'm trying to create an Azure Activity Alert for each Security and User group that's created in an M365 Tenant.

The plan is to create an Azure Automation that'll be triggered by the alert and create a periodic access review of the new group.

However, I can't see an event type other than 'Create or Modify group' in alert rules, but this (Microsoft example) query does not work.

I've looked at other rules and creating my own but I can't find anything that'll surface my test groups I'm creating.

Has anyone got any experience with this?

Answer 1

I'm trying to create an Azure Activity Alert for each Security and User group that's created in an M365 Tenant.

You can follow the steps below to create an alert, if anyone creates, modifies, or deletes the Azure AD group.

1. Create a Log Analytics workspace and attach it to Azure AD

2. Go to Microsoft Entra ID > Diagnostic settings > add Diagnostic setting.

Note: After adding the diagnostic settings, please allow some time for the logs to synchronize with the Log Analytics Workspace

2. Then Go to Microsoft Entra ID > Diagnostic settings > add Diagnostic setting > Log Analytics and execute below KQL query to retrieve Audit logs

    AuditLogs
    | where Category == "GroupManagement"
    | where OperationName in ('Add group','Delete group','Add member to group', 'Add owner to group', 'Remove member from group', 'Remove owner from group')
    | project TimeGenerated, ResourceId, OperationName, Category, AADOperationType
    ,InitiatedByUserPrincipalName = parse_json(tostring(InitiatedBy)).user.userPrincipalName

Output:

3. Click on New alert rule > select the Alert logic under condition > Action : Create a Action group

Create an Action Group.

Fill the alert rule details.

After completing all the specified steps, if anyone creates, modifies, or deletes the Azure AD group, you will receive an email at the specified address mentioned in the action group.