Skip to content

Get Office 365 activity alerts when user signs in

Do you like to know how to get Office 365 activity alerts when a user signs in? For example, you did assign admin rights to a user, and you like to know by email when the user signs in to the portal. Of course, this does not have to be an admin. You can set the same up for users in the Microsoft 365 tenant. In this article, we will look at how to get an Office 365 activity alert delivered by email when user signs in.

Create new alert policy for user sign in

To create a new alert policy when a user signs in, go through the below steps:

  1. Sign in to Microsoft 365 Defender.
  2. Navigate to Policies & rules > Activity alerts.
Office 365 security alert policies and rules
  1. If you don’t yet have auditing turned on, click the Turn on auditing button. If you don’t, there is no auditing, and you will not be able to create a new alert policy.
Office 365 security alert turn on auditing
  1. Refresh the page several times, and the message will go away. If not, give it some time and wait till you see the New alert policy button change from greyed out to a clickable button.
Office 365 security alert preparing audit log
  1. Click on New alert policy.
Office 365 security alert  new alert policy
  1. Fill in the details for the new alert policy:
  1. Name: Sign-in user
  2. Description: Create an alert and send an email when the user signs in
  3. Activities: User logged in
  4. Users: The user that you want to monitor when signing in
  5. Recipients: The recipient that will get an email when the user signs in (this can be an external email)
  6. Click Save.
Office 365 security alert new alert policy details
  1. The alert policy is successfully created and shown in the Activity alerts list.
Activity alert policy created

Verify Office 365 activity alert

Do not start to test immediately. It can take 24 hours before the activity alert policy takes effect.

Note: It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log record to be returned in the results of an audit log search. The following table shows the time it takes for the different services in Office 365.

Microsoft 365 service or feature

After 24 hours, test out the policy.

Sign in to the Microsoft 365 portal with the user account you set up in the previous step. Wait a bit, and you will get an Office 365 Activity Alert email in your mailbox.

Activity alert sign-in

That’s it!

Read more: How to Restrict access to Microsoft Entra admin center »

Conclusion

You learned how to get Office 365 activity alerts when user signs in. Sign in to the Microsoft 365 security center and configure the activity alert policy. Remember that it will take up to 24 hours before the activity alert policy starts to work.

Did you enjoy this article? You may also like Move from per-user MFA to Conditional Access MFA. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 8 Comments

  1. This type of activity “user logged in” does not exist anymore. Could not find an alternative solution.

    1. It looks like the search in “Activities” is not working correctly, and you need to scroll through the list and select “User logged in”.

      I just tested it out and got an email alert when signing in with a user.

      1. Thank you for checking Ali, I was able to find it now. Thank you for the help and for the nice tutorial!

Leave a Reply

Your email address will not be published. Required fields are marked *