Creating an Activity alert in Office 365

Within Office 365 you can use Audit Logging to monitor specific actions admins and users take. It’s comparable with Auditing within Exchange, but for most of all actions available in your Office 365 tenant. However, you need to do a search to find those actions perhaps long after the fact. That might be adequate for most organizations, but it would be nice to get an near immediate alert on the important stuff. Luckily, that is also possible!

Consider the following scenario; you share a document via SharePoint via an Anonymous link, meaning that everyone that has the link can download the document you just shared it under. Downloads are logged, but you require an alert right after it happens.

When you got to Security & Compliance>Search & Investigation>Audit log search you will see a “New alert policy” button at the bottom of the page.

image

Click on that button and a new screen shows up (click on image for original size):

image

Give it a name and a clear description. Under “Alert Type” you can choose “Custom” or “Elevation of privilege”. Choose Custom. Under “Choose activities for alert” select “Downloaded file”

image

Under Users, keep the field empty in order to monitor Anonymous actions.

image

In the field “Send this alert to…” fill in the user ( s ) you want the alert sent to. Unfortunately it doesn’t seem to work with groups/contacts, but does work with Shared Mailboxes. Per default the address of the admin creating the alert is used.

image

After that the configured mailbox will get an alert mail when it’s triggered (click on image for original size).

O365ActivityAlert

If you no longer require the alert or need to adjust it, you can do that under Security & Compliance>Alerts>Manage Alerts (click on image for original size).

O365ActivityAlertOverview

Unfortunately the alerts are less granular as the search it includes a field to further specify a file, folder or site, which is not available for alerts.

image

Even so, it’s a great addition for those organization that require a more pro-active monitoring of certain actions in your Office 365 tenant. There are a lot of actions from different services (SharePoint, Exchange, User provisioning, Teams etc.) that can be monitored, so check it out!

As the alert mails have a consistent format, you could create further actions based on the mail. For instance with Microsoft Flow.

Leave a Reply

Your email address will not be published. Required fields are marked *