Microsoft 365 provides powerful security features to help protect your organization. However, misuse or compromise of admin privileges can quickly lead to serious breaches. Actions like changing user roles, forwarding emails externally, or granting illicit app consents can open the door to malicious activity if not carefully monitored.
Why Monitor Administrative Actions?
Elevated Access Risks: Admin privileges can override standard security controls, making them prime targets for attackers.
Compliance Requirements: Many regulations (e.g., HIPAA, CIS) demand stringent oversight of elevated privileges and security settings.
Early Compromise Detection: Spotting suspicious admin changes can help you detect a breach quickly and mitigate damage.
Default Alert Policies
Microsoft provides built-in alert policies in Microsoft 365 that can detect Exchange admin permission abuse, malware activity, and potential external or internal threats, as well as information governance concerns. These policies appear in bold on the Alert policies page (https://security.microsoft.com/alertpolicies) and are labeled as System. By default, they’re already turned on. While you can switch them off or on, add recipients for notifications, and set a daily notification limit, you cannot modify any other settings for these built-in policies.
Three Must-Have Security Alert Policies in Microsoft 365
Although Microsoft 365 offers built-in templates, each organization may require additional custom alerts based on its unique risk profile.
1. Changes to User Roles and Permissions
What to Monitor:
Assignments of high-privilege roles (e.g., Global Administrator, Exchange Admin)
Role removals or unexpected role modifications
Risk:
Attackers with admin rights can delete data, create backdoors, or exfiltrate information.
Create a Related Alert Policy
Sign in to Microsoft Defender portal (with an admin role).
In Email & collaboration, select Policies & Rules > Activity alerts.
Select New alert policy: Create a custom alert, name it, and describe the activities to monitor.
Alert type: Select Custom.
Activities: Role administration activities: Added member to role, Removed a user from a directory role
Users: Either specific users or all users in the organization.
Recipients: Specify who should receive email notifications.
Save your new alert policy.
2. Inbox Rule Changes or New Forwarding Rules
What to Monitor:
Creation or modification of inbox rules that forward emails externally
Suspicious filters or redirect rules
Risk:
Forwarding rules can route sensitive data outside your organization, often without detection.
Microsoft 365 includes built-in alerts such as Creation of forwarding/redirect rule and Suspicious Email Forwarding Activity to monitor these activities.
To confirm these are enabled, go to the Microsoft Defender portal, then under Email & collaboration select Policies & Rules > Alert policy.
3. Illicit Consent Grant
What to Monitor:
Apps requesting unusual permissions (e.g., access to emails, documents, contacts)
Consent granted to external apps not related to regular business operations
Risk:
Attackers can trick users into allowing an Azure-registered application to access corporate data.
Once granted, the app can continuously access information like emails and files without needing an organizational account.
Create a Related Alert Policy
Sign in to Microsoft Defender portal (with an admin role).
In Email & collaboration, select Policies & Rules > Activity alerts.
Select New alert policy: Create a custom alert, name it, and describe the activities to monitor.
Alert type: Select Custom.
Activities: select all under Application administration activities.
Users: Either specific users or all users in the organization.
Recipients: Specify who should receive email notifications.
Save your new alert policy.
Monitoring critical administrative actions in Microsoft 365—such as role changes, email forwarding, and illicit consent grants—is essential for keeping your environment secure and compliant. Microsoft offers both default alert policies and flexible custom alerts to help you detect threats quickly. Staying on top of these alerts can be time-consuming—especially as your organization grows or threat landscapes evolve. That’s where PlexHosted can help.
Ready to strengthen your Microsoft 365 environment? Contact PlexHosted to learn how our MSSP services can enhance your security posture, reduce operational overhead, and let you focus on your core business.