In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to configure an alert in ManageEngine ADAudit Plus to notify administrators whenever admin consent is granted to any application in Azure Active Directory. This helps organizations detect potential privilege escalation, maintain visibility into third-party application permissions, and strengthen compliance with security and access governance policies.

Prerequisites  

• You'll need access to the ADAudit Plus web console.

• You need to use an account with administrator privileges or a technician account with delegated permissions to configure alerts in the Cloud Directory tab.

• The Entra ID Audit module must be properly configured and licensed in ADAudit Plus.

• Audit logs must be actively collected from Entra ID (i.e., ensure the Audit module under Cloud Directory shows a healthy sync status).

• Ensure email server settings are configured in ADAudit Plus if you wish to receive alert notifications via email.

Steps to follow

Step 1: Create a New Alert Profile  

1. Log in to the ADAudit Plus web console as an administrator or with a technician account with delegated permissions to create/modify alerts.

2. Navigate to the Alerts tab.

3. Click New Alert Profile in the top-right corner.

4. Provide a relevant Name and Description.
   (Example: Alert – Admin Consent Granted to Entra ID)

5. Click the + symbol next to Report Profiles.

6. From the Domain drop-down, select the cloud account.

7. Choose Applications Modified as the report profile.

8. You can tailor the Alert Message to suit your specific requirements.

Step 2: Configure advanced alert settings

1. The Advanced Configuration options allow you to customize alerts based on thresholds, business hours, and advanced filtering criteria.

2. Under Advanced Configuration, check the box next to Filter.

3. Set the filter:

1. Attribute: ACTIVITY

2. Operator: contains

3. Value: Consent to Application

Note: This filter ensures that alerts are triggered for any application receiving admin consent.

Step 3 (if required): Monitor a specific application  

1. To restrict alerts to a specific application only:

1. Click the + icon.

2. Set the second filter with the andcondition:

1. Attribute: TARGET NAME

2. Operator: equals

3. Value: (Name of the specific application)

Step 4: Configure an alert notification  

1. In the Alert Actions section, enable E-mail Notification.

2. Enter the recipient email addresses where the alert should be delivered.

3. Provide a clear and relevant subject line for the email notification.

4. Select the preferred format for the alert email, either HTML or Plain Text.

5. Select the details you would like to include in the email, such as:

• Alert Message

• Alert Profile Name

• Event Details

6. Enable the Throttle Notification option to suppress multiple alerts into a single notification based on defined criteria.
   Example: If multiple logon failures are detected from the same user within 15 minutes, consolidate them into one alert after that time window.

7. If SMS provider settings are already configured in ADAudit Plus (Admin > General Settings > Server Settings > SMS), enable SMS Notifications for real-time updates.

8. Enable the Execute Script option to trigger a script automatically when a specific alert is generated.
   Example: Lock a user account temporarily after detecting 10 consecutive logon failures from that account.

9. If a ticketing tool is integrated with ADAudit Plus (Admin > Configuration > Ticketing system Integration), enable Configure Auto Ticketing to automatically generate tickets for alerts.

Note: You can also use Throttle Ticket Generation to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

10. Click Save to activate the alert profile.

Validation and confirmation

• In Entra ID, grant admin consent to a test application through the API permissions pane.

• Go to Alerts and expand Cloud account under Profile Based Alerts. 

• Choose the alert profile that was created and view the alerts in the ADAudit Plus console.

• Verify that the alert appears with the correct application name and activity (Consent to application).

• Ensure the alert email is received at the specified address.

• If you have configured a filter for a specific application, confirm that alerts are triggered only for that application and not for others.

Best practices

• Monitor all admin consent events by default.

• Focus on high-risk applications.

• Ensure the cloud directory module is collecting logs from Entra ID in ADAudit Plus.

Related topics and articles

• How to create an alert to notify when a member is removed from any role.

• How to create an alert to notify when a member is removed from any role.