Information is a precious good. Keep an eye on specific accounts and knowing when someone gets unauthorized access to a critical account can be your life saver. But how do you manage this within your Microsoft tenant? Therefore alert policies are exactly what is needed. You can setup a policy to trigger an alert as soon as an account connects to any Microsoft cloud service.

Move to alert policies in the Office 365 Security & Compliance center of your tenant. This hidden tab can serve you massive information about a wide spectrum of specific user activities. From this point alert policies can be created.
The example shows a policy who sends an email to when "Test User 6" is logged on. Always make sure you write a simple understandable description or even create a documentation on what you do. (Of course you should always do this ;)) To my experience I can take up to 24 hours until the policy really gets functional.

Alert policy is now already created. This is how the notification on email looks like: (can need up to 4 hours to recieve)

Alright, but how do I manage my policies?

Normally this is an easy thing. But unfortunately not in my case, alert policies are listed in the portal on "Alerts>Alert polices". I can't explain it to myself but there are no elements in my tenant visible. Luckily these policies are accessible also through Security & Compliance Center PowerShell, that is a modified PowerShell version. Now here the steps to follow:

  1. Login to Exchange Admin Center and move to "Hybrid".
  2. Download the module and execute it. (use old school Internet Explorer for best practice)
  3. Optional Winrm (Windows remote management) can sometimes block basic authentication you can check this with: "winrm get winrm/config/client/auth" -> Basic = "true" is what to look for. If the value is false you have to temporarily set it to true with "winrm set winrm/config/client/auth @{Basic="true"}"
  4. Now execute the downloaded PowerShell version use "Connect-IPPSSession -UserprincipalName" and authenticate (Important: MFA is possible with this method)
  5. Were good to go: run "Get-ActivityAlert | Format-List Disabled,Name,Description,Operation,userId,NotifyUser" this shows basic formated values of all created alert policies.
    Perfect! Additional helpful commands are:

Remove Activity Alerts

Use "Remove-Activity Alert "NAME""
Official Microsoft site

Edit Activity Alerts

Change Description

Use "Set-Activity Alert "NAME" -Description "NEW DESCRIPTION" "

Disable Alert

Use "Set-Activity Alert "NAME" -Disable "Ture/False" "

Change users to notify

Use "Set-Activity Alert "NAME" -NotifyUser "UPN" "

Official Microsoft site

You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.