Objective 

To provide step-by-step guidance on configuring an alert that notifies administrators when a sign-in attempt is made using a disabled account in Entra ID, enabling early detection of unauthorized access attempts or misconfigured account usage.

Prerequisites   

• Access to the ADAudit Plus web console.

• A user account with administrator privileges or a technician account with delegated permissions to configure alerts under Cloud Directory.

• The Entra ID module must be properly configured and licensed in ADAudit Plus.

• Audit Logs must be actively collected from Entra ID (i.e., ensure the Audit module under Cloud Directory shows a healthy sync status).

• If you want alert notifications sent via email, ensure that SMTP settings are configured under Admin > General Settings > Server Settings in ADAudit Plus.

 Steps to follow 

1. Use an account with either the Administrator role, or a Technician account with delegated permissions to create/modify alerts.
   
2. Navigate to Alerts from the top menu.

3. Click New Alert Profile (top-right corner).
   

4. Enter a relevant Alert Name and Description (e.g., Member Added to Azure AD Role).

5. Click the "+" symbol next to Report Profiles.

6. Under Domain, select the Cloud Account.

7. Choose Logon Failure as the report profile.

8. Scroll down to the Filter section and enable it.

9. Set the first filter as follows:

1. Attribute: Failure Error Code

2. Operator: Equals

3. Value: 50057

10. This will generate alerts whenever sign-in attempts happen using disabled accounts in Entra ID and whenever a user account is locked in Entra ID.

11. In the Alert Actions section, enable the E-mail Notification checkbox.

12. Enter recipient email addresses.

13. Provide a clear and relevant subject line for the email notification.

14. Select the preferred format for the alert email, either HTML or Plain Text.

15. Use the checkboxes to select the details you would like to include in the email:

1. Alert Message

2. Alert Profile Name

3. Event Details

16. Enable the Throttle Notification checkbox to suppress multiple alerts into a single notification based on defined criteria.
    Example: If multiple logon failures are detected from the same user within 15 minutes, consolidate them into one alert.

17. If SMS provider settings are configured in ADAudit Plus (Admin > General Settings > Server Settings > SMS), enable the SMS Notification checkbox for real-time updates.

18. Enable the Execute Script checkbox to trigger a script automatically when a specific alert is generated.
    Example: Lock a user account temporarily after detecting 10 consecutive logon failures from that account.

19. If a ticketing tool is integrated with ADAudit Plus (Admin > Configuration > Ticketing system Integration), enable the Configure Auto Ticketing checkbox to automatically generate tickets for alerts.

Note:

20. Click Save to activate the alert profile.

 Validation and confirmation 

• Manually add a test user to any Entra ID role using the Azure portal.
  
• Go to Alerts, then select Expand Cloud account under Profile based alerts. 

• Choose the Alert profile that was created and view alerts in the ADAudit Plus console.

• Verify that the alert appears with the correct event details (user, role, time).

• Ensure the alert email is received at the specified address.
  

 Tips 

• Include key details in the alert message.

• Add dynamic values such as:

• Username

• Time of action

• Who performed the action

• Client IP or source

• Create dedicated alert profiles for administrators or critical service accounts to monitor user disablement more closely.

• Store alert history for audit trails and compliance reporting. 

 Related topics and articles 

• How to Configure an alert to notify when a User is Disabled in Entra ID