If you’re looking for an easy way to receive an email alert when a specific user logs into Microsoft 365, this post is for you!

A customer recently requested that I configure an email alert that triggers when a specific user signs into Microsoft 365. No problem, right? Well…

Microsoft offers an array of confusing options when it comes to customizing security alerts. Microsoft also has a uniquely annoying habit of changing GUI’s and product names prior to updating their documentation (and before we’ve had a chance to learn the last version!). As of the publication of this post, Microsoft, Google, and various LLM’s offer no viable instructions for how to achieve this in the latest version of the Defender portal. I thought I’d share the solution.

Note: The following assumes a Microsoft 365 Global Administrator account with a bundle that includes “Microsoft Defender for Cloud Apps”, which is currently part of E5 or F5 (reference).

1. Navigate to the Defender portal:
   • Admin Center > All Admin Centers > Security
2. On the left, navigate to Cloud Apps > Policy Management
3. Create a new policy and set as follows:
   • No Template
   • Name
   • Category (of your choice)
   • Description (recommended)
   • Act on: Single activity
   • Configure two filters:
     • Activty Type – equals – Log on
     • User – Name – equals – <UPN of user to monitor> – as – Actor only
   • Check the boxes next to “Create an alert for each matching event…” and “Send alert as email”.
   • Populate a list of addresses to receive the alert.
   • Customize the “Daily alert limit per policy” setting, which limits how many alerts you receive for multiple logins.
   • The “Governance actions” section can be ignored unless you optionally want to take automatic action when the user logs in.
4. Save

Here’s a screenshot:

These types of alerts are not real-time… there will be a delay due to the logging and Exchange transport processes, but not a significant one from my experience (minutes).

These alerts will trigger when a user logs into a portal directly, but not when navigating from their portal to web app like OWA or OneDrive (because they already have a valid session token cached in the browser). Similarly, desktop applications like Teams and Outlook will not trigger an alert if their authentication session tokens are handled as part of the native Windows single sign-on process, i.e. the user isn’t actually prompted to log in. To get an alert for the user’s next login to any app you would have to revoke the user’s Entra ID tokens, forcing them to login again everywhere. To get an alert for all logins you would have to modify Entra ID policy to not allow refresh tokens at all, which would result in a distinctly different user experience.

Hopefully you found this helpful! If you are interested assistance with your cloud service, please do not hesitate to reach out. We’d love the opportunity to work with you.