In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective

Learn how to configure an alert that notifies administrators whenever a new service principal is created in Entra ID, enabling early detection of potential application registrations or unauthorized access attempts within the environment.

Prerequisites  

• Access to the ADAudit Plus web console.

• A user account with administrator privileges or a technician account with delegated permissions to configure alerts under Cloud Directory.

• The Entra ID module must be properly configured and licensed in ADAudit Plus.

• Audit logs must be actively collected from Entra ID (i.e., ensure the Audit module under Cloud Directory shows a healthy sync status).

• If you want alert notifications sent via email, ensure that SMTP settings are configured under Admin > General Settings > Server Settings in ADAudit Plus.

Steps to follow

1. Use an account with either the administrator role or a technician account with delegated permissions to create/modify alerts.

2. Navigate to Alerts from the top menu.

3. Click New Alert Profile (top-right corner).

4. Enter a relevant Alert Name and Description (e.g., Member Added to Entra ID Role).

5. Click the + symbol next to Report Profiles.

6. Under Domain, select the Cloud Account.

7. Choose Applications Created as the report profile.

8. Scroll down to the Filter section and enable it.

9. Set the first filter as follows:

1. Attribute: Activity

2. Operator: Equals

3. Value: Add service principal

10. This will generate alerts whenever service principal creation happens in Entra ID.

11. In the Alert Actions section, check the E-mail Notification box.

12. Enter the recipient email addresses.

13. Provide a clear and relevant subject line for the email notification.

14. Select the preferred format for the alert email, either HTML or Plain Text.

15. Use the check boxes to select the details you would like to include in the email:

1. Alert Message

2. Alert Profile Name

3. Event Details

16. Check the Throttle Notification box to suppress multiple alerts into a single notification based on defined criteria.
    Example: If multiple logon failures are detected from the same user within 15 minutes, consolidate them into one alert.

17. If SMS provider settings are configured in ADAudit Plus (Admin > General Settings > Server Settings > SMS), check the SMS Notification box for real-time updates.

18. Check the Execute Script box to trigger a script automatically when a specific alert is generated.
    Example: Lock a user account temporarily after detecting 10 consecutive logon failures from that account.

19. If a ticketing tool is integrated with ADAudit Plus (Admin > Configuration > Ticketing System Integration), check the Configure Auto Ticketing box to automatically generate tickets for alerts.

Note: You can also use Throttle Ticket Generation to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

20. Click Save to activate the alert profile.

Validation and confirmation

• Manually add a test user to any Entra ID role using the Azure portal.

• Go to Alerts > Expand Cloud account under Profile based alerts. 

• Choose the Alert profile that was created and view alerts in the ADAudit Plus console.

• Verify that the alert appears with the correct event details (user, role, time).

• Ensure the alert email is received at the specified address.

Tips

• Include key details in the alert message:

• Add dynamic values such as:

• Username

• Time of action

• Who performed the action

• Client IP or source

• Create dedicated alert profiles for administrators or critical service accounts to monitor user disablement more closely.

• Store alert history for audit trails and compliance reporting.

Related topics and articles

• How to configure an alert to notify when MFA authentication methods are modified.