Trigger based on addition of User in Azure AD

Question

I am looking for a mechanism to identify the users who are added in a specific group and trigger an action based on user addition event. Looks like people are still waiting for it to be available from Azure. The details could be found here

The solution that i am thinking at the moment is have an Azure task/Function that goes through the audit logs and detect the "user added" event and then trigger an action.

Is there any other better method?

Answer 1

You could Integrate Azure AD logs with Azure Monitor logs, send the Azure AD AuditLogs to the Log Analytics workspace, then Alert on Azure AD activity log data, the query could be something like(just a sample, I have not test it, because there is some delay, the log will not send to the workspace immediately when it happened)

AuditLogs
| where TimeGenerated >= ago(1h) 
| where OperationName == "Add member to group"

Sample:

You could set the Alert logic depending on your own requirement, e.g. Whenever count of results in Custom log search log query for last 1 hour is greater than 0. Evaluated every 10 minutes. and configure the action group, select the action type you want like Email, webhook.

Answer 2

a better way would be to trigger an automation runbook based on an alert based on a condition specific to that audit event. But I'm not sure adding a user is an audit event on azure level, it is probably an Azure AD event. I dont think Azure AD offers events based on that.

So you'd have to basically parse the events and figure out where you stopped last time based on time or something like that.