In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to configure an alert in ManageEngine ADAudit Plus to notify administrators whenever a Conditional Access Policy is deleted in Microsoft Entra ID (formerly Azure Active Directory). This helps administrators detect unauthorized or accidental policy removals, strengthens access control governance, and supports compliance with security and audit requirements.

Prerequisites 

• Access to the ADAudit Plus web console.

• A user account with administrator privileges or a technician account with delegated permissions to configure alerts under Cloud Directory.

• Ensure the Azure AD Audit module is properly configured and licensed in ADAudit Plus.

• Audit Logs must be actively collected from Microsoft Entra ID (i.e., ensure the Audit module under Cloud Directory shows a healthy sync status).

• ADAudit Plus should be integrated with Microsoft Entra ID via a registered app that has the required Microsoft Graph API permissions.

• Confirm that the reports in ADAudit Plus Cloud Directory > Conditional Policy Changes (delete) has the required data.

• To receive alert notifications via email, ensure the SMTP settings are configured under Admin > General Settings > Server Settings.

Steps to follow

Step 1: Create a New Alert Profile  

1. Log in to the ADAudit Plus web console as an administrator or with a technician account with delegated permissions to create or modify alerts.

2. Navigate to the Alerts tab.

3. In the top-right corner, click New Alert Profile.

4. Enter a relevant Name and Description (e.g., Conditional Access Policy delete in Azure).

5. Click the + button next to Report Profiles.

6. Under the Domain drop-down, select the Cloud Account.

7. Choose Directory Management as the report profile.

Step 2: Configure advanced alert settings  

1. Under Advanced Configuration, customize the alerts based on thresholds, business hours, and advanced filtering criteria.

2. Enable the Filter check box.

3. Use the drop-down menus to set the filter parameters:

1. Attribute: ACTIVITY

2. Operator: CONTAINS

3. Value: Delete Conditional Access Policy

This ensures alerts are triggered specifically when a new Conditional Access Policy is deleted in Microsoft Entra ID.

Step 4: Configure alert notification  

1. In the Alert Actions section, enable the E-mail Notification check box.

2. Enter recipient email addresses.

3. Provide a clear and relevant subject line for the email notification.

4. Select the preferred format for the alert email, either HTML or Plain Text.

5. Use the check boxes to select the details you would like to include in the email:

• Alert Message

• Alert Profile Name

• Event Details

6. Enable the Throttle Notification check box to suppress multiple alerts into a single notification based on defined criteria.
   Example: If multiple logon failures are detected from the same user within 15 minutes, consolidate them into one alert.

7. If SMS provider settings are already configured in ADAudit Plus (Admin > General Settings > Server Settings > SMS), enable SMS Notifications for real-time updates.

8. Enable the Execute Script option to trigger a script automatically when a specific alert is generated.
   Example: Lock a user account temporarily after detecting 10 consecutive logon failures from that account.

9. If a ticketing tool is integrated with ADAudit Plus (Admin > Configuration > Ticketing system Integration), enable Configure Auto Ticketing to automatically generate tickets for alerts.

Note: You can also use Throttle Ticket Generation to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

10. Click Save to activate the alert profile.

Validation and confirmation

• Trigger a test event.

• Go to Alerts and expand the cloud account under Profile Based Alerts.

• Choose the Alert profile that was created and view the alerts in the ADAudit Plus console.

• Verify that the alert appears with the correct event details (i.e., Activity, Initiated by, Timestamp, and Source).

• Ensure the alert email is received at the specified address.

Best practices

• Prioritize alerts for critical policies.

• Combine your alerts with modification and deletion alerts.

Related topics and articles

• How to create an alert for conditional policy updates in Microsoft Entra ID

• How to create an alert to notify for a conditional policy created in Microsoft Entra ID