Monitors and alerts about users' successful and/or failed login attempts.
This event monitor can be configured to alert about both successful and failed login attempts. It can also be set to include or exclude certain users, applications, and resources from all checks performed by the monitor.
This event monitor provides the following options:
This option will alert you at the level of your choosing if Azure can't be contacted.
Enable this option to receive an alert if a login is failed twice or more.
This option will notify you of every successful login with an alert of your choice.
This option lets you specify a list of users that the event monitor will check over exclusively.
Enter a comma-separated list of users that will be excluded from all checks.
The applications you list here will be included in all checks.
The applications you list here will be excluded from all checks.
The resources you list here will be included in all checks.
The resources you list here will be excluded from all checks.
First, you'll need to create an app registration to add to your event monitor's authentication profile. Information on how to do this can be found in our "Creating an Azure Authentication Profile" article.
The app registration must be granted the MSGraph AuditLog.Read.All permission. Your Azure subscription must be for a Premium P1 or P2 account. Microsoft does not support login monitoring with non-premium accounts.
This event monitor generates the following data points:
|Failed Logins||The number of failed logins.|
|Successful Logins||The number of successful logins.|
To view the tutorial for this event monitor, click here.
Add a comment