How to monitor recently created users in Microsoft Entra ID
Recently created users in Microsoft Entra ID are new accounts added to the organization's directory. These users can be employees, contractors, or individuals needing access to the organization's resources. Monitoring these users is crucial for maintaining security, ensuring compliance, and detecting unauthorized account creation. Users or administrators can use the Microsoft Entra admin center to review user activity logs, set up alerts for new user creations, and analyze trends over time.
The table is a comparison of how to monitor recently created users using the Microsoft Entra admin center and M365 Manager Plus.
Microsoft Entra admin center
Steps to monitor recently created users in the Microsoft Entra admin center
- Log in to the Microsoft Entra admin center and navigate to Identity > Users.
- Click Audit logs and specify the time period in which you wish to track the created users.
- Specify the Service and Category.
- Under Activity, select Add User and click Apply.
M365 Manager Plus
Steps to monitor recently created users in M365 Manager Plus
- Log in to M365 Manager Plus and navigate to the Reports tab > Azure Active Directory > User Reports.
- Under General User Reports, select Recently Created Users.
- Select the Microsoft 365 Tenant, the particular domains and groups from the Filter By field, and the Duration for which you wish to see the created user details, and then click Generate Now.
Create alerts for recently created users in Microsoft Entra ID using M365 Manager Plus
Unexpected user creation, especially in bulk during non-business hours, can indicate unauthorized access or compromised systems. Creating alerts for such activities provides timely notifications, allowing security teams to investigate suspicious activity promptly. While Azure Monitor can generate alerts for these activities, it requires additional licensing.
M365 Manager Plus offers comprehensive monitoring, auditing, and alerting capabilities for your entire Microsoft 365 environment. You can easily set up alerts for bulk user creation, set the severity and alert threshold, and customize messages with the details of the event to notify admins, all without having to purchase an additional license. Follow the steps mentioned below to create alerts for recently created users.
- Log in to M365 Manager Plus and navigate to the Settings tab > Configuration > Audit Configuration > Alert Profiles, and click Add Profile.
- Enter a Profile Name and Description for the alert.
- Select Azure Active Directory as your Microsoft 365 Service, Azure AD user as the Category, and Added user as the Actions.
- Specify the Severity and configure an Alert Message using Macros.
- Under the Advanced Configuration section, check the Email every alert corresponding to this profile check box in the Notification tab to receive email alerts.
- In the Filter Settings tab, you can configure an Alerts Threshold to alert you when a certain event occurs above a certain frequency. Use the Business Hours Filter to monitor for any alerts outside of working hours and the Filter By Column option to set attribute-based conditions based on which the data must be filtered, and click Add.
Limitations of using the Microsoft Entra admin center to monitor recently created users
- Administrators need to be assigned at least the Reports Reader role to access reports in Microsoft Entra ID.
- The built-in reporting features in the Microsoft Entra admin center may not offer a high level of detail or customization, making it challenging to create tailored reports that meet specific needs.
- Setting up alerts in the Microsoft Entra admin center requires configuring Azure Monitor, which necessitates purchasing an additional license.
- Accessing and navigating through the Microsoft Entra admin center can be cumbersome, especially for administrators who are not familiar with the interface.
Benefits of using M365 Manager Plus to monitor recently created users
- M365 Manager Plus offers flexible role-based access control, allowing administrators to assign customized roles and permissions to help desk technicians, which provides ease of access to reports without being restricted to predefined roles like in Microsoft Entra ID.
- M365 Manager Plus provides advanced and customizable reporting features, enabling administrators to create detailed reports tailored to specific requirements, and it also offers scheduled report generation.
- With advanced filtering and search capabilities, M365 Manager Plus allows for comprehensive reporting and monitoring of all aspects of Microsoft Entra ID from a single console. It offers advanced alerting and notification features, enabling administrators to set up real-time alerts for specific events, ensuring they are promptly informed of anomalies.
- It provides an intuitive and user-friendly interface, reducing the learning curve for administrators and improving efficiency in managing and analyzing logs.
Effortlessly schedule and export reports on your Microsoft 365 environment.
Try now for free