How to monitor user role changes in Microsoft Entra ID

Ensuring robust security and seamless access control is paramount for organizations of all sizes. IAM solutions like Microsoft Entra ID (formerly Azure AD) play a pivotal role in managing user identities, enforcing permission controls, securing access to critical applications and resources, and vigilantly monitoring environmental changes. Role-based access control (RBAC) in Microsoft Entra ID allows you to grant specific permissions to users using built-in roles, ensuring that each user has the necessary access to perform their tasks without giving them too much control.

Why do we need to monitor user role changes in Microsoft Entra ID?

User roles are used to define access to applications and permissions in Microsoft Entra ID. This makes role changes to users an inconspicuous way for attackers to elevate the privileges of their accounts or their target accounts without any group changes or major acts that can be noticed by other users.

Regular monitoring of user role changes helps detect unauthorized or unintended modifications, ensuring that any potential security risks are identified and addressed promptly. It also provides a clear audit trail of who made the changes, when, and what modifications were made. This helps in investigating any suspicious activities and finding out which account or user is compromised.

Tracking user role changes in Microsoft Entra ID and M365 Manager Plus

Microsoft Entra ID can help track down role changes using audit logs. This report can be filtered for changes made to user roles across your Microsoft 365 environment.

ManageEngine M365 Manager Plus, a comprehensive tool used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments, can also be used to track user role changes in Microsoft Entra ID.

This table is a comparison on how to track user role changes in Microsoft Entra ID and by using M365 Manager Plus.

How to set up alerts for user role changes in Microsoft Entra ID

While user role changes can be monitored via audit logs, quickly reversing unauthorized changes is crucial to prevent potential attacks. Manually generating daily reports and filtering out legitimate changes can be a labor-intensive process. You can generate alerts for this action using Azure Monitor, which requires the purchase of an additional license.

M365 Manager Plus offers alerts for crucial security events like user role changes, along with the capability to audit and monitor your entire Microsoft 365 environment at no additional cost. You can set alerts for user role changes at untimely hours by following the steps mentioned below:

1. Log in to M365 Manager Plus, navigate to Settings > Audit Configuration > Alert Profiles, and click Add Profile.

   

2. Type in a Profile Name and Description for your audit profile.
3. Select Azure Active Directory as your Microsoft 365 Service, choose Azure AD Role Administration as your Category, and include the following activities under Actions: Added users to admin role and Deleted users from admin role.

   

4. Assign a Severity level based on how crucial this alert is. In the example screenshot below, we've selected Attention.
5. Configure an alert message using Macros to use specific variables in your alert message. For this example, we've used the following message: %OBJECT_ID% modified by %ACTOR%. Activity is %OPERATION%.
6. Expand Advanced Configuration and check the Email every alert corresponding to this profile box to receive email alerts.
7. In the Filter Settings tab, use the Business Hours Filter to monitor for any alerts outside of working hours and the Filter By Column option to format the report data you will receive in your alerts.
8. Click Add to finalize your changes and create an alert profile to track user role changes in Microsoft Entra ID.

   

Limitations of using native tools to monitor user role changes in Microsoft Entra ID

• Administrators must be assigned at least the Reports Reader role to access the reports displayed in Microsoft Entra ID.
• Assigning granular permissions to execute individual tasks in a broad category is not possible.
• Reports generated using Microsoft Entra ID can only be exported in CSV and JSON formats.
• Reports will have to be filtered every time they are generated, and the filters cannot be saved, which can get exhausting if a filter is required to generate data that you require frequently.
• To set up alerts for user role changes in Microsoft Entra ID, Azure Monitor needs to be configured separately, which also requires an additional license.

Benefits of using M365 Manager Plus to monitor user role changes in Microsoft Entra ID

• Delegate granular permissions to technicians without elevating their Microsoft 365 privileges, and create custom roles with any combination of reporting, management, and auditing tasks.
• Export reports generated in M365 Manager Plus in not just CSV but also in other presentable formats, such as HTML, PDF, and XLSX.
• Filter your reports just once and save them as custom reports that you can access in just a few clicks.
• Configure alert profiles in M365 Manager Plus to notify you of specific activities that take place outside of business hours or occur at unusual frequencies.
• Gain a thorough understanding of your environment in Microsoft Entra ID, Exchange Online, SharePoint Online, OneDrive for Business, and other Microsoft 365 services with detailed reports from a single console.