Add Alert
Manage scheduled tenant alerts.
CIPP offers a set of scheduled, recurring alert checks. Some of these duplicate Microsoft Alerts functionality in a more MSP-friendly manner, some are not available as a Microsoft Alert at this time.
Within CIPP, there are two types of alerts.
Scripted CIPP Alert
Audit Log Alert
Similar to Tenant Standards, you configure alerts using the wizard to select one or more tenants or -All Tenants- to apply alerts globally, then select from the list of available alerts.
Alert email delivers to the email address or webhook provided in CIPP settings. Alerts are delivered as an HTML-formatted table. Alerts fire once per incident - for example, a full mailbox does not fire an alert every time it's checked.
Each alert comes with a default value suggested by the CIPP team, but you can adjust it as needed. The available runtime schedules for scripted CIPP alerts are:
365 days / 1 year
30 days / 1 month
7 days / 1 week
1 day
4 hours
1 hour
Audit Log Alerts are processed in near real-time, but a small delay of up to 15 minutes is normal.
Available Scripted CIPP Alerts
Alert on users without any form of MFA
Alert on admins without any form of MFA
Alert on tenants without a Conditional Access policy, while having Conditional Access licensing available
Alert on changed admin Passwords
Alert on licensed users that have not logged in for 90 days
Alert on % mailbox quota used
Alert on % SharePoint quota used
Alert on licenses expiring in 30 days
Alert on new apps in the application approval list
Alert on Security Defaults automatic enablement
Alert if Defender is not running (Tenant must be on-boarded in Lighthouse)
Alert on Defender Malware found (Tenant must be on-boarded in Lighthouse)
Alert on unused licenses
Alert on overused licenses
Alert on expiring application secrets
Alert on expiring APN certificates
Alert on expiring VPP tokens
Alert on expiring DEP tokens
Alert on soft deleted mailboxes
Alert on device compliance issues
Alert on Huntress Rogue Apps detected
Available Template Audit Log Alerts
A new Inbox rule is created
A new Inbox rule is created that forwards e-mails to the RSS feeds folder
A new Inbox rule is created that forwards e-mails to a different email address
A new Inbox rule is created that redirects e-mails to a different email address
A existing Inbox rule is edited
A existing Inbox rule is edited that forwards e-mails to the RSS feeds folder
A existing Inbox rule is edited that forwards e-mails to a different email address
A existing Inbox rule is edited that redirects e-mails to a different email address
A user has been added to an admin role
A user sessions have been revoked
A users MFA has been disabled
A user has been removed from a role
A user password has been reset
A user has logged in from a location not in the input list
A service principal has been created
A service principal has been removed
A user has logged in a using a known VPN, Proxy, Or anonymizer
A user has logged in a using a known hosting provider IP
Example Usage
You might want to be alerted when a particular account logs into one of your tenants. For example Global Admins or break glass accounts. This is relatively simple if you have consistent naming across your tenants i.e. mylovelybreakglassaccount@tentantdomains.com
Create an Audit log alert
In the tenant selector, select All Tenants
Select Azure AD as the log source
Select "Operation" as the When property
Select "Equals To" as the is property
In the unput field select "A user logged in"
Add an extra set of variables
Select "Username" as the When property
Select Like as the is property
Enter the username to test for across all tenants i.e. mylovelybreakglassaccount@* (Note the * after the @ to match all domains)
Choose the action(s) you want and save the alert.
Last updated