Forum Discussion

tomwrigglesworth's avatar
tomwrigglesworth
Copper Contributor
Dec 31, 2024

Email alert when roles are adjusted

Hi all, 

 

I've had a look around but can't find anything up to date that would help my issue.

What we're after is an email alert whenever a 365 role is changed (user added or removed).

 

Looking in Defender, there's only an alert for an Exchange Administrator change. Is there anyone who has something in production that would do this job?

 

Kind regards

Tom

microsoft 365 defender
security
  • Karanvaghela's avatar
    Karanvaghela
    Brass Contributor
    Jan 03, 2025

    hey


    Create Custom Alert Policies for Role Changes

     

    Once audit logging is enabled, you can create custom alert policies to monitor for role assignment changes.

    1. Go to Microsoft 365 Security & Compliance Center:

    Open the Microsoft 365 compliance center at https://compliance.microsoft.com.Click on Alerts in the left pane, then select Alert policies.

    1. Create a new alert policy:

    Click on + New alert policy.Select Activity is performed by a user this would be related to role assignments.

    1. Define Activity for Role Changes:

    In the Activity section, use Role Group Member Added and Role Group Member Removed you may need to specify the roles like Global Admin, SharePoint Admin, etc.For example, if you want to track changes to a particular admin role, use the Role assignment activity look for actions like “Add user to role” and “Remove user from role”.

    1. Configure the Alert:

    Set the Alert severity to High or Medium based on your preference.Add the email recipients who should be notified when the alert is triggered.

    1. Save and Apply the Alert:

    Review the settings and save the alert policy.

    • tomwrigglesworth's avatar
      tomwrigglesworth
      Copper Contributor
      Jan 07, 2025

      Is there a way to do this with the new Purview? I dont have access to the classic any more.

      • Karanvaghela's avatar
        Karanvaghela
        Brass Contributor
        Jan 09, 2025

        Yes you can try this 

        Create a Custom Alert in Microsoft Purview

         

        Use Alert Policies in Microsoft Purview to generate notifications.

        1. Go to Compliance Portal > Alerts > Alert Policies.
        2. Create a new alert policy:
        • Name: “Role Change Alert”
        • Category: Threat Management
        • Activity: Select relevant activities, such as:
        • Added member to role
        • Removed member from role
        • Directory Role Assigned
        • Threshold: Set the number of activities to trigger an alert (e.g., 1).
        • Recipients: Add your email or security group for notifications.

Resources