0

I am trying to create an alert for the specific "Assigns the caller to User Access Administrator role" log entry in the Azure Monitor Directory log section, so that when it is triggered, I can send an e-mail to a specific address.

However, whenever I click on said log entry, I don't get the "New Alert Rule" button that does appear on Suscription specific logs. So I was wondering if there is an actual way to create an alert, or maybe another way that I can trigger some logic when the "Assigns the caller to User Access Administrator role" log entry appears.

MarcosHT503
  • 3
  • 2

1 Answers1

0

Where did you see this kind of event? I don´t remember to have already seen this kind of event and I don´t know what exactly did you mean by "Azure Monitor Directory log section", but it seems to be related to Azure AD, isn´t it?

I would say that you should create a Diagnostic Setting for your Azure AD to send its logs to a Log Analytics Workspace, and then use a KQL query to retrieve this event and create an alert rule for this query based on its results.

You just have to know in which category this kind of event exists, as there are several categories available in Active Directory logs and you should export just what you really need, but you may have this information available where you have seen the log message.

Daniel Alves
  • 93
  • 5
  • 1
    The event I am referring to appears whenever a Global Administrator elevates it's role to the "User Access Administrator" role. which allows to gain control over all subscriptions in the tenant. When I say "Azure Monitor Directory log section", I am referring that whenever you enter to Azure Monitor's Activity log, there are two sections, one for the susbscription specific logs, and another for the directory-level logs. Anyways, referring the log to Log Analytics and using KQL just did the trick. Thank you – MarcosHT503 Jul 15 '23 at 02:24