Configuring alert options

Azure AD Identity Protection is only effective if the available alerting options are correctly configured, the alerts are being diligently reviewed by administrators, and the appropriate steps are being taken where needed. Identity Protection has two notification settings that can be configured to alert administrators of risk detections within Microsoft 365. These are Users at risk detected alerts and Weekly digest. Let's look at each of these in turn.

Users at risk detected alerts

This alert can be found under the Notify section of the Azure AD Identity Protection pane and can be used to configure an email alert that will be sent to administrators when a user at risk is detected. The benefit of this is that administrators will receive email alerts as soon as the risk event is detected:

Figure 5.15 – Notification options

Clicking on this will allow you to configure the options for Users at risk detected alerts.

You can then complete the following steps to set the alert risk level, configure who will receive the alerts, and also download a report that will show you who has been set to receive these alerts:

  1. You will see the following options (by default, the risk level is set to High):

    Figure 5.16 – Setting the alert level

  2. Choose the alert level that you wish to configure, and then click to select which users are going to receive these alert emails:

    Figure 5.17 – Selecting users for alerts

  3. Once you have added the required users, click Select and then Save.
  4. You can also click Download to generate a CSV file that contains the users who have been configured to receive these alerts:

Figure 5.18 – Example of a CSV report

When an alert email is triggered, the included recipients will receive a notification email in the following format:

Figure 5.19 – Example of an email alert

Clicking on View detailed report will direct the email recipient to log in to Azure AD Identity Protection in the Azure Portal, view the alert, and take corrective action.

Weekly digest

While the users at risk detected alerts will be generated whenever Azure AD Identity Protection detects a risk, the Weekly digest works differently and will send an email on a weekly basis to show administrators how many users have been flagged for risk, how many risk events have been detected, and how many vulnerabilities have been detected.

The Weekly digest alert can also be found under the Notify section of Azure AD Identity Protection and can be configured as follows:

  1. Click on Weekly digest; you will see the following options:

    Figure 5.20 – Weekly email digest

  2. Click Included, under Emails are sent to the following users, to select who the weekly digest emails will be sent to:

    Figure 5.21 – Selecting users for the Weekly digest

  3. Once you have chosen the users you wish to include when you are happy with your selections, click Select and then Save.

When the Weekly digest email has been generated, targeted users will receive a notification email in the following format:

Figure 5.22 – Weekly digest email format

There are two options that the recipient can select from the email. These are as follows:

  • New risky users detected
  • New risky sign-ins detected (in real time)

Clicking on either of these will take the recipient directly into the Azure AD Identity Protection pane of the Azure portal. In the Report section, they can view and address the recorded incidents.

Important note

Configuring the users at risk alerts and the Weekly digest email will help you keep on top of your Azure AD Identity Protection. Review these regularly.

Next, we will show you how to manage and resolve risk events.