Entra ID Users and Devices Event Monitor
Overview
The Entra ID Users and Devices Event Monitor monitors your Entra ID users and sends alerts if users are modified, deleted, or new since the last time the event monitor checked.
info
Use Cases
- Receiving alerts about modified, deleted, and new users
- Confirming group membership of users
Monitoring Options
- Alert with [Info/Warning/Error/Critical] if the device cannot be contacted: This option will send you an alert if the device cannot be contacted.
- Alert with [Info/Warning/Error/Critical] if user accounts are newly created: Use this option to receive an alert if the event monitor detects user accounts that have been newly created.
- Alert with [Info/Warning/Error/Critical] if user accounts are deleted: This option will send an alert if user accounts have been deleted.
- Alert with [Info/Warning/Error/Critical] if user accounts have not logged in for [#] days: Use this option to receive an alert if user accounts have not logged in for a specified number of days.
- Alert with [Info/Warning/Error/Critical] if user accounts are disabled: Use this option to get alerted if user accounts are disabled.
- Alert with [Info/Warning/Error/Critical] if user accounts do not have MFA enabled: Use this option to receive an alert if user accounts do not have multi-factor authentication enabled.
- Only check users in the following group: Enable this option to check only users in the group you specify.
- User accounts to ignore: Enter the names of the accounts to ignore, separated by commas. Note that this feature does not apply to deleted accounts.
- Ignore disabled user accounts: Check this box to ignore disabled user accounts.
- Ignore guest accounts: Use this filter option to ignore Entra ID guest accounts.
- Ignore member accounts: Use this option to ignore member accounts in Entra ID.
- Ignore accounts that have never logged in: This option lets you ignore user accounts that have never logged in.
- Group name: Enter a group ID that will be checked. This option allows you to be notified whenever changes are made to specific groups in Microsoft Entra.
- Alert with [Info/Warning/Error/Critical] if members are added: Use this option to receive an alert if members have been added since the event monitor last ran.
- Alert with [Info/Warning/Error/Critical] if members are removed: This option will send an alert if members are removed from Entra ID.
- List the first [#] detected group members: Enable this option to include a list of detected group members in the event text. Enter the number of group members you want displayed.
- Alert with [Info/Warning/Error/Critical] if computers are added: This option will send you an alert if computers have been added since the last time the event monitor checked.
- Alert with [Info/Warning/Error/Critical] if computers are deleted: Enable this option to receive an alert if computers have been deleted since the last time the event monitor ran.
Authentication and Security
The account used to authenticate must have the following permissions at the application level in Microsoft Graph:
- User.Read.All
- Directory.Read.All
- Group.Read.All
- Device.Read.All
- GroupMember.Read.All
- AuditLog.Read.All
Protocols
Data Points
| Data Point | Description |
|---|---|
| Deleted Devices | Number of deleted devices. |
| Deleted Users | Number of deleted users. |
| Disabled Users | Number of disabled user accounts. |
| New Devices | Number of new devices since last check. |
| New Users | Number of new users since last check. |
| Stale Accounts | Number of stale accounts. |
| Users Without MFA | Number of user accounts without multi-factor auth enabled. |
Sample Output
