Objective

This article guides you through the process of detecting and configuring alerts for login attempts originating from anonymized IP addresses in Entra ID. This helps you identify potentially suspicious login activities that may indicate compromised accounts or malicious access attempts.

Prerequisites  

• You need access to the ADAudit Plus web console.

• You need a user account with administrator privileges or a technician account with delegated permissions to configure alerts under Cloud Directory.

• The Entra ID module must be properly configured and licensed in ADAudit Plus.

• Audit logs must be actively collected from Entra ID (i.e., ensure the Auditing module under Cloud Directory shows a healthy sync status).

• If you want alert notifications sent via email, ensure that SMTP settings are configured under Admin > General Settings > Server Settings in ADAudit Plus.

Steps to follow

1. Use either an account with either the Administrator role or a technician account with delegated permissions to create and modify alerts.
   
2. Navigate to Alerts from the top menu.

3. Click New Alert Profile in the top-right corner.
   

4. Enter a relevant alert Name and Description (e.g., Member added to an Entra ID role).

5. Click the + symbol next to Report Profiles.
   

6. From the Domain drop-down, select the cloud account.

7. Select Risk Events as the report profile and click OK.

8. Scroll down to the Filter check box and click it.

9. Set the first filter as follows:

• Attribute: Select Risk Event Type.

• Operator: Select equals.

• Value: Select anonymizedIPAddress.

This will generate alerts whenever a login from an anonymized IP address happens in Entra ID.

10. In the Alert Actions section, click the E-mail Notification check box.

11. Enter the recipient email addresses.

12. Provide a clear, relevant subject line for the email notification.

13. Select the preferred format for the alert email: either HTML or Text.

14. Click the check boxes to select the details you would like to include in the email:

• Alert Message

• Alert Profile Name

• Event Details

15. Click the Throttle Notification check box to combine multiple alerts into a single notification based on the defined criteria. For example, if multiple login failures are detected from the same user within 15 minutes, consolidate them into one alert.

16. If SMS provider settings are configured in ADAudit Plus (under Admin > General Settings > Server Settings > SMS), click the SMS Notification check box for real-time updates.

17. Click the Execute Script check box to trigger a script automatically when a specific alert is generated. For example, lock a user account temporarily after detecting 10 consecutive logoi failures from that account.

18. If a ticketing tool is integrated with ADAudit Plus (under Admin > Configuration > Ticketing System Integration), click the Configure Auto Ticketing check box to automatically generate tickets for alerts.

Note: You can also click the Throttle Ticket Generation check box to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

19. Click Save to activate the alert profile.
    

Validation and confirmation

1. Manually add a test user to any Entra ID role using the Azure portal.
   
2. Navigate to Alerts > Profile Based Alerts and select the cloud account. 

3. Select the alert profile that was created and view the alerts in the ADAudit Plus console.

4. Verify that the alerts appear with the correct event details (the user, role, time, etc.).

5. Ensure that the alert email is received at the specified addresses.
   

Tips

• Include key details in the alert message.

• Add dynamic values such as the following:

• The username

• The time of the action

• Who performed the action

• The client IP or source

• Create dedicated alert profiles for administrators or critical service accounts to monitor user disablement more closely.

• Store the alert history for audit trails and compliance reporting.

Related topics and articles

• How to configure an alert to get notified when a user is disabled in Entra ID