How to add an Exchange Online license to a mailbox in Exchange Hybrid? You have…
Get Office 365 activity alerts when user signs in
Do you like to know how to get Office 365 activity alerts when a user signs in? For example, you did assign admin rights to a user, and you like to know by email when the user signs in to the portal. Of course, this does not have to be an admin. You can set the same up for users in the Microsoft 365 tenant. In this article, we will look at how to get an Office 365 activity alert delivered by email when user signs in.
Create new alert policy for user sign in
To create a new alert policy when a user signs in, go through the below steps:
- Sign in to Microsoft 365 Defender.
- Navigate to Policies & rules > Activity alerts.
- If you don’t yet have auditing turned on, click the Turn on auditing button. If you don’t, there is no auditing, and you will not be able to create a new alert policy.
- Refresh the page several times, and the message will go away. If not, give it some time and wait till you see the New alert policy button change from greyed out to a clickable button.
- Click on New alert policy.
- Fill in the details for the new alert policy:
- Name: Sign-in user
- Description: Create an alert and send an email when the user signs in
- Activities: User logged in
- Users: The user that you want to monitor when signing in
- Recipients: The recipient that will get an email when the user signs in (this can be an external email)
- Click Save.
- The alert policy is successfully created and shown in the Activity alerts list.
Verify Office 365 activity alert
Do not start to test immediately. It can take 24 hours before the activity alert policy takes effect.
Note: It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log record to be returned in the results of an audit log search. The following table shows the time it takes for the different services in Office 365.
After 24 hours, test out the policy.
Sign in to the Microsoft 365 portal with the user account you set up in the previous step. Wait a bit, and you will get an Office 365 Activity Alert email in your mailbox.
That’s it!
Read more: How to Restrict access to Microsoft Entra admin center »
Conclusion
You learned how to get Office 365 activity alerts when user signs in. Sign in to the Microsoft 365 security center and configure the activity alert policy. Remember that it will take up to 24 hours before the activity alert policy starts to work.
Did you enjoy this article? You may also like Move from per-user MFA to Conditional Access MFA. Don’t forget to follow us and share this article.
As it seems like MS is changing this alert, is the only alternative the Log Analytics / Azure monitor one? And that will cost some money I assume as it requires a workspace/storage?
This feature only works partially. Not all users’ log in activity triggeres email.
Reported to Microsoft, they said they’re retiring this alert. Although they’re still invesitgating the cause of some users not triggering the alert, but I don’t think there will be any useful outcome.
Hi Ali,
Can’t find it in https://security.microsoft.com/alertpoliciesv2 … under activity is
Have you got another way?
Regards
It’s the following URL: https://security.microsoft.com/managealerts
this feature is not working properly
nothing shows under choose activities for alert
It still works (I just tested it).
You must scroll through the list and select “User logged in”.
Does something like this exist for on-premises Active Directory?
This type of activity “user logged in” does not exist anymore. Could not find an alternative solution.
It looks like the search in “Activities” is not working correctly, and you need to scroll through the list and select “User logged in”.
I just tested it out and got an email alert when signing in with a user.
Thank you for checking Ali, I was able to find it now. Thank you for the help and for the nice tutorial!