In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective

To guide users through the process of configuring an alert in ADAudit Plus to receive notifications whenever MFA is enabled for any user account in the Microsoft Entra ID.

Prerequisites  

• Access to the ADAudit Plus web console.

• A user account with administrator privileges or a technician account with delegated permissions to configure alerts under Cloud Directory.

• The Entra ID must be properly configured and licensed in ADAudit Plus.

• Audit Logs must be actively collected from Entra ID and set to ensure the Audit module under Cloud Directory shows a healthy sync status. 

• If you want alert notifications sent via email, ensure that SMTP settings are configured under Admin > General Settings > Server Settings in ADAudit Plus.

Steps to follow

1. Use an account with either the Administrator role, or a Technician account with delegated permissions to create and modify alerts.

2. Navigate to Alerts from the top menu.

3. Click New Alert Profile (found in the top right corner).

4. Enter a relevant Alert Name and Description (for example, Member Added to Azure AD Role).

5. Click the + symbol next to Report Profiles.

6. Under Domain, select the Cloud Account.

7. Choose User Modified as the report profile.

8. Tailor the Alert Message to suit your specific requirements.

9. Under Advanced Configuration, customize the alerts based on thresholds, business hours, and advanced filtering criteria.

10. Scroll down to the Filter section and enable it.

11. Set the first filter as follows:

1. Attribute: Property Name

2. Operator: Equals

3. Value: StrongAuthenticationMethod

12. Set the second filter as follows:

1. Attribute: Old Value

2. Operator: Equals

3. Value: []

13. This will generate alerts whenever MFA is enabled in Azure AD.

14. In the Alert Actions section, enable the E-mail Notification check box.

15. Enter recipient email addresses.

16. Provide a clear and relevant subject line for the email notification.

17. Select the preferred format for the alert email, either HTML or Plain Text.

18. Use the check boxes to select the details you would like to include in the email:

1. Alert Message

2. Alert Profile Name

3. Event Details

19. Enable the Throttle Notification check box to suppress multiple alerts into a single notification based on defined criteria.
    Example: If multiple logon failures are detected from the same user within 15 minutes, consolidate them into one alert.

20. If SMS provider settings are configured in ADAudit Plus (Admin > General Settings > Server Settings > SMS), enable the SMS Notification check box for real-time updates.

21. Enable the Execute Script check box to trigger a script automatically when a specific alert is generated.
    Example: Lock a user account temporarily after detecting 10 consecutive logon failures from that account.

22. If a ticketing tool is integrated with ADAudit Plus (Admin > Configuration > Ticketing system Integration), enable the Configure Auto Ticketing check box to automatically generate tickets for alerts.

Note: You can also use Throttle Ticket Generation to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

23. Click Save to activate the alert profile.

Validation and confirmation

• Manually add a test user to any Entra ID role using the Azure portal.

• Go to Alerts > Expand Cloud account under Profile based alerts.

• Choose the Alert profile that was created and View Alerts in the ADAudit Plus console.

• Verify that the alert appears with the correct event details (user, role, time).

• Ensure the alert email is received at the specified address.

Tips

• Use specific criteria for alerts.

• Configure alert conditions to monitor:

• Disabling of MFA from a user account

• Changes in strong authentication settings

• Administrative actions affecting MFA configurations

• Clearly label alerts like: MFA Enabled for Azure AD User – Immediate Attention Required

Related topics and articles  

• How to configure an alert to notify when MFA is disabled