LogoLogo
Get CIPPJoin Discord
  • ☕CIPP Documentation
  • 🦸Setup
    • Self Hosting Guide
      • Prerequisites
      • Installation
      • Setup Automatic API Updates
      • Configuring Automatic Updates
      • Adding Users and Managing Roles
      • Updating Versions
      • Migrating to Hosted CIPP
      • Self-hosted API Setup
    • Configuring CIPP
      • Creating the CIPP Service Account
      • Conditional Access Best Practices
      • Adding Users and Managing Roles
      • Executing the Setup Wizard
      • Tenant Onboarding
      • Adding Tenants & Consenting the CIPP-SAM Application
      • Adding a Custom Domain Name
      • I Want to Manage My Own Tenant
      • Recommended Roles
    • Implementing CIPP
      • Recommended First Steps
      • Standards Setup
    • Resources
      • Professional Onboarding Services
      • Sponsor Quick Start
  • 🙋User Documentation
    • Shared Features
      • Menu Bar
        • Tenant Select
        • Display Mode
        • 🔍Search
        • Bookmarks
        • User Preferences
      • Table Features
      • Speed Dial
      • Keyboard Shortcuts
      • Get Help
    • CIPP Dashboard
    • Identity Management
      • Administration
        • Users
          • Bulk Add
          • Invite Guest
          • Add User
          • View Individual User
            • Edit User
            • Exchange Settings
            • Compromise Remediation
            • Conditional Access
        • Risky Users
        • Groups
          • Add Group
          • Edit Group
        • Group Templates
          • Add Group Template
          • Deploy Group Templates
          • Edit Group Template
        • Devices
        • Deleted items
        • Roles
        • JIT Admin
          • Add JIT Admin
        • Offboarding Wizard
      • Reports
        • MFA Report
        • Inactive Users
        • Sign-in Report
        • AAD Connect Report
        • Risk Detections
    • Tenant Administration
      • Administration
        • Tenants
          • Edit Tenant
          • Tenant Groups
            • Add Tenant Group
            • Edit Tenant Group
        • Alert Configuration
          • Add Alert
        • Audit Logs
          • View Audit Log
        • Applications
        • App Registrations
        • Permission Sets
          • Add Permission Set
          • Edit Permission Set
        • Templates
          • Add App Approval Template
          • Edit App Approval Template
        • Secure Score
        • App Consent Requests
        • Authentication Methods
        • Partner Relationships
      • GDAP Management
        • Relationships
          • Relationship Summary
        • Role Mappings
          • Map GDAP Roles
        • Role Templates
          • Add Template
        • Invites
          • New Invite
        • Onboarding
        • Offboarding
      • Configuration Backup
        • Backups
          • Restore Configuration Backup
          • Add Configuration Backup Task
      • Standards
        • List Standards Templates
        • Add Standards Template
        • View Tenant Report
        • Best Practice Analyser
          • Best Practice Templates
          • Custom Reports
        • Domains Analyser
      • Conditional Access
        • CA Policies
          • Deploy CA Policies
        • CA Vacation Mode
          • Add Vacation Schedule
        • CA Templates
        • Named Locations
          • Add Named Location
      • Reports
        • License Report
        • Sherweb License Report
          • Add Subscription
        • Consented Applications
    • Security & Compliance
      • Incidents & Alerts
        • Incidents
        • Alerts
      • Defender
        • Defender Status
        • Defender Deployment
        • Vulnerabilities
      • Reports
        • Device Compliance
    • Intune
      • Applications
        • Applications
          • Add Application
            • Add MSP App
            • Add Store App
            • Add Choco App
            • Add Office App
        • Application Queue
      • Autopilot
        • Autopilot Devices
        • Add Autopilot Device
        • Profiles
          • Add Profile
        • Status Pages
        • Add Status Page
      • Device Management
        • Devices
        • Configuration Policies
        • Compliance Policies
        • Protection Policies
        • Apply Policy
        • Policy Templates
        • Scripts
      • Reports
        • Analytics Device Score
        • Work from Anywhere
    • Teams & SharePoint
      • OneDrive
      • SharePoint
        • Add Site
        • Bulk Add Sites
      • Teams
        • Teams
          • Add Team
        • Teams Activity
        • Business Voice
    • Email & Exchange
      • Administration
        • Mailboxes
          • Add Shared Mailbox
        • Deleted Mailboxes
        • Mailbox Rules
        • Contacts
          • Add Contact
          • Edit Contact
        • Quarantine
        • Tenant Allow/Block Lists
          • Add Entry
      • Transport
        • Transport Rules
          • Deploy Transport Rule Template
        • Transport Templates
        • Connectors
          • Deploy Connector Templates
        • Connector Templates
      • Spamfilter
        • Spamfilter
          • Deploy Spamfilter
        • Spamfilter Templates
        • Connection Filter
          • Deploy Connection Filter
        • Connection Filter Templates
        • Quarantine Policies
          • Edit Global Settings
          • Deploy Custom Policy
        • Quarantine Policies
          • Add Quarantine Policy
      • Resource Management
        • Rooms
          • Add Room
          • Edit Room
        • Room Lists
      • Reports
        • Mailbox Statistics
        • Mailbox Client Access Settings
        • Anti-Phishing Filters
        • Malware Filters
        • Safe Link Filters
        • Safe Attachment Filters
        • Shared Mailbox with Enabled Account
        • Global Address List
    • Tools
      • Tenant Tools
        • Graph Explorer
        • Application Approval
        • Tenant Lookup
        • IP Database
        • Individual Domain Check
      • Email Tools
        • Message Trace
        • Mailbox Restores
        • Message Viewer
      • Dark Web Tools
        • Tenant Breach Lookup
        • Breach Lookup
      • Template Library
      • Community Repositories
        • View Repository Templates
      • Scheduler
        • Add Job
    • CIPP
      • Application Settings
        • Permissions
        • Tenants
        • Backend
        • Notifications
        • Partner Webhooks
        • Licenses
        • CIPP Backup
        • Global Variables
      • Logbook
      • Setup Wizard
      • Integrations
        • Integration Sync
        • CIPP-API
        • Sherweb
        • Gradient
        • Halo PSA Ticketing
        • NinjaOne
        • Hudu
        • Password Pusher
        • Have I Been Pwned?
        • Cloudflare
        • GitHub
      • Custom Data
        • Directory Extensions
          • Add Directory Extension
        • Schema Extensions
          • Add Schema Extension
        • Mappings
          • Add Mapping
          • Edit Mapping
      • Advanced
        • Super Admin
          • Tenant Mode
          • Function Offloading
          • CIPP Roles
          • SAM App Roles
          • SAM App Permissions
        • Exchange Cmdlets
        • Timers
        • Table Maintenance
  • 📂Troubleshooting
    • Error codes
    • Troubleshooting instructions
      • Refreshing a Specific Tenant's Permissions via CPV API
    • Frequently Asked Questions
      • I Got a "Potential Phishing page detected" Alert. What Do I Do With That?
  • 🔐Security
    • CIPP Security and Compliance
      • Security Policy
      • Security reports
    • CIPP Community Vulnerability Disclosure Policy
  • 👩‍💻👩💻 Dev Documentation
    • CIPP Dev Guide
      • Setting Up for Local Development
      • Executing Local Development
      • Project Structure
      • Development Tips
      • CIPP v7 Developer Brief
    • Contributing to the Code
    • Contributing to the Documentation
  • ⚙️API Documentation
    • Setup & Authentication
    • Endpoints
  • 🧰MSP Adoption Toolkit
    • Building a CIPP Business Case
  • ☕Sip & CIPP
    • Conditional Access
    • Autopilot & Intune
Powered by GitBook
On this page
  • Alert Types
  • Alert Timing
  • Alert Delivery Methods
  • Available Scripted CIPP Alerts
  • Available Template Audit Log Alerts
  • Example Usage

Was this helpful?

Edit on GitHub
Export as PDF
  1. User Documentation
  2. Tenant Administration
  3. Administration
  4. Alert Configuration

Add Alert

Manage scheduled tenant alerts.

PreviousAlert ConfigurationNextAudit Logs

Last updated 16 days ago

Was this helpful?

CIPP offers a set of scheduled, recurring alert checks. Some of these duplicate Microsoft Alerts functionality in a more MSP-friendly manner and some are not available as a Microsoft Alert at this time. Similar to , you configure alerts using the wizard to select one or more tenants or -All Tenants- to apply alerts globally, then select from the list of available alerts.

Alert Types

Within CIPP, there are two types of alerts:

  • Audit Log Alert - These alerts are based on Microsoft audit logs.

  • Scripted CIPP Alert - These alerts have been developed by CIPP to pull from sources other than the audit logs.

Alert Timing

  • Audit Log Alerts - Processed in near real-time, but a small delay of up to 15 minutes is normal.

  • Scripted CIPP Alerts - Each alert comes with a default value suggested by the CIPP team, but you can adjust it as needed. The available timings are:

    • 365 days / 1 year

    • 30 days / 1 month

    • 7 days / 1 week

    • 1 day

    • 4 hours

    • 1 hour

    • 30 minutes

Alert Delivery Methods

Available Scripted CIPP Alerts

  • Alert on users without any form of MFA

  • Alert on admins without any form of MFA

  • Alert on tenants without a Conditional Access policy, while having Conditional Access licensing available.

  • Alert on changed admin Passwords

  • Alert on licensed users that have not logged in for 90 days

  • Alert if Entra Connect sync is enabled and has not run in the last X hours

  • Alert on % mailbox quota used

  • Alert on % SharePoint quota used

  • Alert on licenses expiring in 30 days

  • Alert on new apps in the application approval list

  • Alert on Security Defaults automatic enablement

  • Alert if Defender is not running (Tenant must be on-boarded in Lighthouse)

  • Alert on Defender Malware found (Tenant must be on-boarded in Lighthouse)

  • Alert on new Defender Incidents found

  • Alert on unused licenses

  • Alert on overused licenses

  • Alert on Entra ID P1/P2 license over-utilization

  • Alert on expiring application secrets

  • Alert on new Apple Business Manager terms

  • Alert on expiring application certificates

  • Alert on expiring APN certificates

  • Alert on expiring VPP tokens

  • Alert on expiring DEP tokens

  • Alert on soft deleted mailboxes

  • Alert on device compliance issues

  • Alert on (new) potentially breached passwords. Generates an alert if a password is found to be breached.

  • Alert on Huntress Rogue Apps detected

  • Alert when Tenant External Recipient Rate Limit exceeds X %

Available Template Audit Log Alerts

  • A new Inbox rule is created

  • A new Inbox rule is created that forwards e-mails to the RSS feeds folder

  • A new Inbox rule is created that forwards e-mails to a different email address

  • A new Inbox rule is created that redirects e-mails to a different email address

  • A existing Inbox rule is edited

  • A existing Inbox rule is edited that forwards e-mails to the RSS feeds folder

  • A existing Inbox rule is edited that forwards e-mails to a different email address

  • A existing Inbox rule is edited that redirects e-mails to a different email address

  • A user has been added to an admin role

  • A user sessions have been revoked

  • A users MFA has been disabled

  • A user has been removed from a role

  • A user password has been reset

  • A user has logged in from a location not in the input list

  • A service principal has been created

  • A service principal has been removed

  • A user has logged in a using a known VPN, Proxy, Or anonymizer

  • A user has logged in a using a known hosting provider IP

Example Usage

You might want to be alerted when a particular account logs into one of your tenants. For example, Global Admins or break glass accounts. This is relatively simple if you have consistent naming across your tenants i.e. mylovelybreakglassaccount@tentantdomains.com

1

Create an Audit log alert

2

In the tenant selector, select All Tenants

Selecting All Tenants will allow you to optionally exclude tenants from the alert

3

Select Azure AD as the log source

4

Select "Operation" as the When property

5

Select "Equals To" as the is property

6

In the unput field select "A user logged in"

7

Add an extra set of variables

8

Select "Username" as the When property

9

Select Like as the is property

10

Enter the username to test for across all tenants i.e. mylovelybreakglassaccount@* (Note the * after the @ to match all domains)

11

Choose the action(s) you want and save the alert.


Webhook - This will deliver a JSON payload to the webhook configured in .

PSA - This will deliver a formatted payload to the configured PSA in .

Email - This will deliver an HTML-formatted table to the email address provided in .

🙋
Tenant Standards
CIPP Settings
CIPP Settings
CIPP Settings

Feature Requests / Ideas

We value your feedback and ideas. Please raise any on GitHub.

feature requests