How to trigger sms alert with Log Analytic workspace when someone is trying to sign in to an account

In this blog post I want to show you how to monitor account with Log Analytic workspace in Azure and trigger SMS alert when someone tries to sign in to this account. The login doesn't need to be successful to trigger the alert. It's enough with just trying to log in by entering username and trying with random password. This is very important for for example Break glass accounts / emergency accounts or other high privileged / critical accounts on your tenant.

Prerequisites:

1. One active Azure subscription

2. One active Resource Group and Log Analytics Workspace

3. Collection of sign in logs to Log Analytic Workspace. This can be set up through entra.microsoft.com -> Users -> All User -> Sign in logs -> Export Data Settings -> Sign in Logs -> Choose Azure subscription and Log Analytics Workspace and press Save or you can collect this log through Microsoft Sentinel Workspace and Entra ID data connector

4. One active account to monitor with object ID ( doesn't need any license )

5. One active phone number

   
   

Ok, let's go

1. First of all, we need to get the Object ID of our account

Go to entra.microsoft.com --> Users --> All Users --> Find user account which needs to be monitored and copy the Object ID value. We will need this for later.

2. Go to portal.azure.com and find your Log Analytic Workspace

   
   

   Go to Monitoring in the left pane and Press Alerts

   Then Press Create and choose Alert rule

3. In Signal name select Custom log search

   
   

   Copy paste this KQL query and test before creating alert rule

   
   

SigninLogs

| project UserId

| where UserId == "Insert Your Object ID in here"

In my case I only have signed in to account once, so I only got one result by running the query

It should like this after testing

4. Leave Measurement fields and split by dimensions as is and go to Alert logic

PS: Note that the monthly cost is estimated to 1,50 USD

5. In Alert logic set the Threshould value to 0 and leave everything else as is

6. Now go to Actions -> choose Use Action groups and Create action group

7. Give your Action group a name and display name and press Next

8. Choose Email/SMS -> SMS -> Country code -> Enter phone number and press OK

9. Give it a name as well

10. Now go to Review + create and press Create

It should look like this

11. Now go to Details tab

Select Severity: 0 Critical

In Alert rule name enter prefered name

In Alert rule description enter prefered description.

Note: This text will appear in SMS message

Press Review + create when you are finished

And Create

Now we can see that we have an Action group in our Log Analytic Workspace

Great. It's time to test our alert now by trying to sign in to our account

BINGO. After about 7 minutes after sign in attempt I got a warning message to my phone number.