In almost every deployment or review of Office 365 the following question comes up: “How Do I Know Everything is OK”? In this blog I want to point you to the Alerts and Notifications that can be used in Office 365’s Security & Compliance Center and the future Security Center to help.
The Security Center has several built-in alerts ready to notify admins of actions occurring in the environment, but many admins are not taking advantage of them. There is also the possibility of setting up additional alerts to aid in curiosity or monitoring of what is going on in your Office 365 tenant.
First let’s make sure you know how to get to the alerts for review or creation. The current Security & Compliance center can be found in several ways. For me the easiest ways are to just go to https://protection.office.com or find the Security & Compliance Admin Center from https://admin.microsoft.com. In the future you will access the Security Center from https://security.microsoft.com.
Once in the Center you should find the Alerts section. You will want to review the Alert Policies.
Here you should find there are a few default System policies. An example, would be Creation of forwarding/redirect rule.
The default policies are set up to send notifications to TenantAdmins. The TenantAdmins are any and all Global Administrators. This is where it gets fun. If the Global Administrator does not have an Exchange license it really doesn’t have an email address or location to send the notifications. I typically advise ensuring that the alert is adjusted to send an email notification to a distribution group that in monitored by the IT staff.
Within the Alert Policies section, you will find there is a New Alert Policy button. This will launch a wizard process to create a new alert.
During the wizard you will walk through the process of naming and configuring the alert to your needs.
You can search for the alerting actions. In my test setup I wanted to get alerted every time someone deleted a file in my one drive.
You will notice that these rules trigger on every occurrence. Depending on the licensing you could set up thresholds, so they occur after a certain number of instances in a set period of time.
There is one last alert that is not part of the Security & Compliance Center. OneDrive has a built-in alerting process for when a user account is deleted. If a user account is deleted, it means that all that user’s OneDrive data will be deleted. OneDrive will send a notification to the user’s manager to inform them they need to take actions to copy that data out somewhere else within 30 days.
But what if there is no manager listed? The notification will then go to the SharePoint administrators for the MySite collection or any secondary administrators on the OneDrive profile for that user. This is a similar situation to the TenantAdmins group. If the Global Administrators do not have a mailbox no notifications will be received.
There are many built in features in Office 365 and new ones are added all the time. It can be difficult to keep up with the features and how to utilize them. These alerts are only a small part of features that can be taken advantage of to get even more value out of your Office 365 services. Need more information? Email firstname.lastname@example.org. We are happy to help!