In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to configure an alert in ManageEngine ADAudit Plus to notify administrators whenever a user is removed from any role in Microsoft Entra ID. It helps ensure visibility into privilege escalations, enhances security monitoring of cloud identities, and supports compliance with access control policies.

Prerequisites  

• Have access to the ADADAudit Plus web console.

• Have a user account with Administrator privileges or a Technician account with delegated permissions to configure alerts under the Cloud Directory.

• The Microsoft Entra ID audit module must be properly configured and licensed in ADAudit Plus.

• Audit logs must be actively collected from Microsoft Entra ID (e.g., ensure the audit module under the Cloud Directory shows a healthy sync status).

• To receive alert notifications via email from ADAudit Plus, ensure the SMTP settings are configured under Admin > General Settings > Server Settings.

Steps to follow

1. Log in to the ADAudit Plus web console as an administrator or with a Technician account with delegated permissions to create or modify alerts.

2. Navigate to the Alerts tab.

3. Click New Alert Profile in the top-right corner.

4. Enter a relevant Name and Description (e.g., Member Added to Entra ID Role).

5. Click the + symbol in the Report Profiles field.

6. Under Domain, select the configured cloud account.

7. Select the User Modifies report profile. Click OK.

8. You can tailor the Alert Message to suit your specific requirements.

9. In Advanced Configuration, enable the Filter option, choose Add Filter, and define the criteria below.

• Attribute: ACTIVITY

• Operator: contains

• Value: Remove Member from Role

This will generate alerts for any role membership removal in Microsoft Entra ID.

10. If you only want to be alerted for changes to a specific role, click the + icon and add define the second criteria as below.

• Attribute: TARGETS NAME

• Operator: equals 

• Value: <Exact name of the role> (e.g., Security Administrator)

11. In the Alert Actions section, enable E-mail Notification.

12. Enter the recipient email addresses where the alert should be delivered.

13. Provide a clear and relevant subject line for the email notification.

14. Select the preferred format for the alert email, either HTML or Plain Text.

15. Select the details you would like to include in the email, such as:

• Alert Message

• Alert Profile Name

• Event Details

16. Enable the Throttle Notification option to suppress multiple alerts into a single notification based on defined criteria.
    Example: If multiple logon failures are detected from the same user within 15 minutes, consolidate them into one alert after that time window.

17. If SMS provider settings are already configured in ADAudit Plus (Admin > General Settings > Server Settings > SMS), enable SMS Notifications for real-time updates.

18. Enable the Execute Script option to trigger a script automatically when a specific alert is generated.
    Example: Lock a user account temporarily after detecting 10 consecutive logon failures from that account.

19. If a ticketing tool is integrated with ADAudit Plus (Admin > Configuration > Ticketing system Integration), enable Configure Auto Ticketing to automatically generate tickets for alerts.

Note: You can also use Throttle Ticket Generation to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

20. Click Save to activate the alert profile.

Validation and confirmation

• Manually remove a test user from any Microsoft Entra ID role using the Microsoft Entra ID portal.

• Go to the Alerts tab and expand the cloud account under Profile Based Alerts.

• Select the alert profile that was created to view alerts in the ADAudit Plus console.

• Verify that the alert appears with the correct event details.

• Ensure the alert email is received at the specified address.

• If you configured a filter for a specific role, confirm that alerts are triggered only for that role and not for others.

Tips

• Set up alerts for critical roles.

• Regularly audit alert profiles and delivery configurations to ensure they remain relevant and aligned with security policy changes.

• Use relevant names and descriptions for alert profiles (e.g., Microsoft Entra ID – Member removed from Roles) for easy identification and maintenance.

Related topics and articles:

1. How to create an alert to notify when a member is added from any role