Many of my customers want to get alerts whenever a specific user logs into Azure, like their break-glass administrator account—the account you use when everything else fails. The account does not have multi-factor authentication enabled, and there's no simple way to get these events and logs out of Azure Active Directory (Azure AD or AAD) and then into an Azure Monitor Log Analytics workspace to trigger an alert. Fortunately, now there is, and it is easy to configure.
Latest posts by David O´Brien (see all)

Configure Azure AD diagnostic settings

Currently it's still in preview, but in your Azure portal, you can browse to the Azure AD tab and check out Diagnostic Settings. Just like on most other Azure resources that support this, you can now also forward your AAD logs and events to either an Azure Storage Account, an Azure Event Hub, Log Analytics, or a combination of all of these. These targets all serve different use cases; for this article, we will use Log Analytics.

If you have not created a Log Analytics workspace yet, go ahead and create one via the portal or using the command line or Azure Cloud Shell:

$rgName = 'aadlogs'
$location = 'australiasoutheast'
New-AzResourceGroup -Name $rgName -Location $location
New-AzOperationalInsightsWorkspace -ResourceGroupName $rgName -Name 4soaadlogs -Location $location -Sku free

This will create a free Log Analytics workspace in the Australia SouthEast region. The next step is to configure the actual diagnostic settings on AAD.

Diagnostic settings overview

Diagnostic settings overview

Unfortunately, there is no straightforward way of configuring these settings for AAD from the command line, although articles exist that explain workarounds to automate this configuration. Usually, this should really be a one-time task because companies generally tend to have only one or a very small number of AADs. Not being able to automate this should therefore not be a massive deal.

Configure AAD diagnostic settings

Configure AAD diagnostic settings

In this dialogue, select an existing Log Analytics workspace, select both types of logs to store in Log Analytics, and hit Save.

There will be a note that to export the sign-in logs to any target, you will require an AAD P1 or P2 license. You can check the documentation to find all the other features you will unlock by purchasing P1 or P2, a highly recommended option.

With these licenses, AAD will now automatically forward logs to Log Analytics, and you can consume them from there.

Querying AAD logs with Log Analytics

In the Log Analytics workspaces > platform - Logs tab, you gain access to the online Kusto Query Language (KQL) query editor. In my environment, the administrator I want to alert has a User Principal Name (UPN) of We can run the following query to find all the login events for this user:

SigninLogs | where OperationName == "Sign-in activity" | where UserPrincipalName == ""
Kusto query to find sign in events

Kusto query to find sign in events

Executing this query should find the most recent sign-in events by this user. If there are no results for this time span, adjust it until there is one and then select New alert rule.

Log Analytics query results

Log Analytics query results

You can now configure a threshold that will trigger this alert and an action group to notify in such a case. An action group can be an email address in its easiest form or a webhook to call.

Creating an Azure alert for a user login

Creating an Azure alert for a user login

It is important to understand that there is a time delay from when the event occurred to when the event is available in Log Analytics, which then triggers the action group. This can take up to 30 minutes.

Subscribe to 4sysops newsletter!

In just a few minutes, you have now configured an alert to trigger automatically whenever the above admin now logs in.

  1. Sign-in diagnostics logs many times take a considerable time to appear. For many customers, this much delay in production environment alerting turns out to be infeasible. For a real-time Azure AD sign-in monitoring and alert solution consider 'EMS – Cloud App Security' policy solution. EMS solution requires an additional license. I personally prefer using log analytics solutions for historical security and threat analytics.

  2. mybaplc login 4 years ago

    after reading ur detailed article i was able to login to my account , i just have another simple question , is it possible to login to my account with different 2 passwords ?
    thanks again for sharing this great article

    • Azure AD supports multiple authentication methods such as password, certificate, Token as well as the use of multiple Authentication factors. However, It does not support multiple passwords for the same account.


  3. Jeoff 3 years ago

    I realize it takes some time for these alerts to be sent out, but it's better than nothing if you don't have E5 Cloud App Security. Thanks for the article!

  4. Akr 3 years ago

    Log analytics is not a very reliable solution for break the glass accounts.

    Sign in logs information have sometimes taken up to 3 hours before they are exported to the allocated log analytics workspace.

    Not a viable solution if you monitoring a highly privileged account.

    Raised a case with Microsoft repeatedly, nothing to do about it.

    Moving on…………..Using a third party tool.

    Do not misunderstand me, log analytics workspace alerts are good, just not good enough for activity monitoring that requires a short response time.

Leave a reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account