How to Set Up Alerts for Azure AD Emergency Access Account

Azure AD Emergency Access Account is Microsoft Identity Management as a Service (IDaaS) solution. It provides seamless access, easy collaboration and higher efficiency in IT processes as well as improved security and compliance.

For an uninterrupted administrative access and under all conditions, Microsoft recommends the creation of a minimum – at least one emergency access account in Azure Active Directory. This is peculiar with organizations that have deployed the premium Azure Active Directory P1 and/or Azure Active Directory P2 licenses designated to their admins and users. 

When Emergency Account is Used? 

Several reasons exist why an organization might require the need for an emergency account in the Azure Active Directory. Some of them include; 

  • Accounts for users in the organization and other admin access are federated and the federation implementation is not available 
  • The administrator registers via Azure Multi-Factor Authentication (MFA) and all their personal devices are not available or the service itself is not available 
  • All synchronized account with admin access are deleted and or disabled on-prem 
  • Unforeseen situation like acts of God like natural disasters such as mud slides, earthquake, fire outbreaks etc. during which mobile phones or other means of communication might be unavailable 

In case of the second instance, an emergency access account with the privileged authentication admin – in a case where multi-factor authentication is set through Conditional Access would be sufficient. 

Privileged Identity Management (PIM) generates alerts in case of a suspicious or unhealthy activity in your Azure Active Directory organization. At the instance an alert is triggered, it shows on the privileged identity management dashboard. The alert can then be selected to see a report that highlights the users or activities that initiated the alert. 

Setting up for your Azure Active Directory requires you to identify some underlying factors. One important one is determining your version of PIM.  

Started in November 2019, Azure Active Directory rationing of Privileged Identity Management was updated to a newer version that matches the Azure resource role experiences. This singular action creates extra features as well as modifications to the existing API. While the new version is being implemented, the procedures to follow are largely a function of your Privileged Identity Management version.  

How to configure Alerts for Azure Active Directory 

Azure Log Analytics and Azure Monitor alerts is required to establish the solution to notify when an emergency account is used to sign in. 

The first step;

Set Up a Log Analytics Workplace 

The first step is to setup a Log Analytics Workplace. By default, Azure subscriptions do not get configured with a Log Analytics workplace hence, ab initio a Log Analytics Workplace is required. 

The first thing is to log onto the Azure Portal via an account with one or more of the roles mentioned in the requirements above. In the Azure portal, click “All services”. Amongst the resources, type Log Analytics. When typing begins, filters to the list are applied according your input. Choose Log Analytics workspaces from the options. 

Second Step 

While you are still logged on in the Azure AD Portal, click on “Azure Active Directory” in the left side of the navigation menu. Choose “Diagnostic settings” in Azure AD’s navigation menu. In the main pane, select “Add diagnostic setting”. The Diagnostic settings blade  then appears. 

On the “Diagnostic settings” blade, create a name for the diagnostic settings. Click the Send to “Log Analytics workspace” check box. Select the Log Analytics workspace of your choice to send the logs to, or create a new workspace in the dialog box provided. 

Third Step 

The Azure AD Portal while still logged on, select “Monitor” in the left navigation menu. 

 Select “Alerts” in Azure Monitor’s navigation menu. Select the + “New alert rule” link in the main pane. In the Scope area effect the following modifications:  

Click the Select resource link. The Select a resource blade would then appears. From the Filter by subscription drop-down list, choose the Azure subscription containing the previously created Log Analytics workspace. In the Resource list, choose the previously created Log Analytics workspace. Click “Done” at the bottom of the Select a resource blade to save the settings and close the blade. 

In the “Condition”area make the following changes: Click the “Select condition”link. The “Configure signal logic” blade appears. In the “Signal name”list, select “Custom log search”.  

Fourth Step 

To ensure the notification works as expected, login with the emergency access account into the Azure Portal or any other Azure AD-integrated service. An alert should trigger within 5 minutes. If it doesn’t, retrace your steps.