How to monitor group membership changes in Microsoft Entra ID

Maintaining robust security and efficient access control is a major requirement for any organization. IAM solutions like Microsoft Entra ID (formerly Azure AD) can help administrators with managing their users, controlling permissions, securing access to applications and resources, and monitoring any changes in the environment.

Microsoft Entra ID uses security groups and Microsoft 365 groups to consolidate multiple users, allowing administrators to apply settings to a group and all its members. This group-based approach is essential for enforcing security policies, ensuring compliance, and enabling seamless collaboration across Microsoft 365 applications and services.

Why do I need to monitor group membership changes in Microsoft Entra ID?

When a user is assigned to a group, they are granted access to the resources of the group by default. This behavior can be used by attackers to add themselves or their target accounts to groups that are granted elevated access levels. For example, adding a compromised user to an administrative group can grant them elevated privileges, enabling them to perform actions beyond their original permissions. Monitoring these changes can help prevent these attacks.

Monitoring group membership changes also provides a clear audit trail of who made the changes and when and what modifications were made. This helps in investigating any suspicious activities and finding out which account or user is compromised.

Tracking group membership changes in Microsoft Entra ID and M365 Manager Plus

Microsoft Entra ID can help track down group membership changes using Audit Logs, which provides a detailed report on all actions performed in your Microsoft 365 environment. This report can be filtered by the actions performed on the group to track group membership changes.

ManageEngine M365 Manager Plus, a comprehensive tool used for reporting, managing, monitoring, auditing, and creating alerts for critical activities in your Microsoft 365 environments, can also be used to track the group membership changes in Microsoft Entra ID.

This table is a comparison on how to track group membership changes using Microsoft Entra ID and M365 Manager Plus.

Note: User role changes can also be tracked by filtering for Add member to role in Microsoft Entra ID or using the Recently Added Member to Roles report in M365 Manager Plus . Click here to learn more.

How to set up alerts for group membership changes in Microsoft Entra ID

Although group membership changes can be tracked using Audit Logs, it's not a reliable way to identify and mitigate an attack in real time. Generating the reports on a daily basis and filtering out legitimate changes is an exhaustive task. You can generate alerts for this action using Azure Monitor, which requires the purchase of an additional license.

M365 Manager Plus offers alerts for crucial security events like group membership changes, along with the capability to audit and monitor your Microsoft 365 environment. You can set alerts for unusual group membership changes by following these steps:

1. Log in to M365 Manager Plus, navigate to Settings > Audit Configuration > Alert Profiles, and click Add Profile.

   

2. Type in a Profile Name and Description for your audit profile.
3. Select Azure Active Directory as your Microsoft 365 Service, choose Azure AD Groups as your Category, and include the following activities under Actions: Add member to group, Removed member from group, Updated group settings, Added owner to group, and Removed owner from group.

   

4. Assign a Severity level based on how crucial this alert is. In the example screenshot below, we've selected Attention.
5. Configure an alert message using Macros to use specific variables in your alert message. For this example, we've used the following message: %OBJECT_ID% modified by %ACTOR%. Activity is %OPERATION%.
6. Expand Advanced Configuration and check the Email every alert corresponding to this profile box to receive email alerts.
7. In the Filter Settings tab, use the Business Hours Filter to monitor for any alerts outside of working hours and the Filter By Column option to format the report data you will receive in your alerts.
8. Click Add to finalize your changes and create an alert profile to track group membership changes in Microsoft Entra ID.

   

Limitations of using native tools to monitor group membership changes in Microsoft Entra ID

• Administrators must be assigned at least the Reports Reader role to access the reports displayed in Microsoft Entra ID.
• Assigning granular permissions to execute individual tasks in a broad category is not possible.
• Reports generated using Microsoft Entra ID can only be exported in CSV and JSON formats.
• Reports will have to be filtered every time they are generated, and the filters cannot be saved. This can be inefficient if a filter is required to generate data that you require frequently.
• To set up alerts for group membership changes in Microsoft Entra ID, Azure Monitor needs to be configured separately, which requires an additional license.

Benefits of using M365 Manager Plus to monitor group membership changes in Microsoft Entra ID

• Delegate granular permissions to technicians without elevating their Microsoft 365 privileges, and create custom roles with any combination of reporting, management, and auditing tasks.
• Export reports generated in M365 Manager Plus in not just CSV, but also in other presentable formats such as HTML, PDF, and XLSX.
• Filter your reports just once and save them as custom reports that you can access later in just a few clicks.
• Configure alert profiles in M365 Manager Plus to notify you of specific activities that take place outside of business hours or occur at unusual frequencies.
• Gain a thorough understanding of your environment in Microsoft Entra ID, Exchange Online, SharePoint Online, OneDrive for Business, and other Microsoft 365 services with detailed reports from a single console.