Hey everyone! We're a small tenant with a tight budget, and after a recent issue where our Azure subscription was disabled due to exceeding the trial credits, I realized I need a better way to monitor our admin accounts. I've set up PIM for privileged access, but when I needed to fix the billing, I was locked out and couldn't elevate my permissions. To prevent this from happening again, I've established a backup emergency admin account with long, complex credentials and MFA.
Now, I'm looking to create an email alert to notify me whenever this break glass account logs in. I've previously set up "Activity alerts" in the Security Centre, but I'm having trouble finding the right settings as everything seems to have changed. I'm also interested in any free solutions, preferably something that Power Automate can handle, since I have PA Premium. Any recommendations? Thanks!
3 Answers
If you're interested, Microsoft's article on break glass accounts has instructions for setting up alerts and adapting them for any accounts you want to monitor. It could be a good starting point for you!
You can also set alerts through Defender for Cloud Apps, if your licensing allows for it. There's a detailed guide on how to monitor a break glass account, which might be helpful for you: [Monitoring a break glass account with Defender](https://blog.ciaops.com/2023/10/24/monitoring-a-break-glass-account-with-defender-for-cloud-apps/)
You could send your sign-in logs to Log Analytics and set up an email alert when the emergency admin account is accessed. It's a pretty straightforward solution. Just make sure you're checking Log Analytics for any alerts that you need.
Yeah, Log Analytics is definitely the first place I'd look when in doubt!
But what if your Azure subscription is disabled? You might need to have multiple subscriptions to keep things running and avoid hitting those quotas.