Active Directory Fundamentals

Creating compliance alerts with Entra Identity Governance

November 14, 2025
Creating Compliance Alerts with Microsoft Entra Identity Governance

“Compliance alerts” in identity land are simple: you define what should be true (policy), detect when reality drifts (signal), and notify the right owner fast enough to fix it (response). Microsoft Entra Identity Governance (Identity Governance) gives you strong policy primitives—like access reviews, entitlement management, and lifecycle automation—while your alerting layer ensures issues don’t sit unnoticed.

If you’re building your governance foundation, start by aligning on what Identity Governance covers and how it fits into the broader Entra access stack. See: Azure AD for Identity Governance: A Comprehensive Guide and Identity governance in Azure AD.

What “compliance alert” means in practice

A useful compliance alert is not “something happened.” It’s “a control failed and needs an owner.” You should be able to answer, for every alert:

  • Control: What policy/control is this enforcing?
  • Signal: What event/data proves the control is failing?
  • Owner: Who is accountable to resolve it?
  • SLA: How quickly must it be resolved (hours/days)?
  • Action: What exact steps close the alert?

Common compliance scenarios Identity Governance can cover

  • Access reviews not completed (reviewers ignored reminders; review window expired).
  • Review outcomes not enforced (removal not applied, exceptions not documented).
  • Access packages drifting from intent (direct assignments bypass packages/approvals).
  • Guest access out of policy (no sponsor/owner, long-lived access, stale guests).
  • Lifecycle workflows failing (joiner/mover/leaver tasks didn’t run, partially ran, or errored).

Guest access is one of the fastest places where compliance drifts. If you haven’t already, read: Managing guest access safely with Microsoft Entra.

Choose your alerting approach (3 patterns that work)

Pattern A: Built-in notifications (fastest to start)

Identity Governance features often include native reminders/notifications (for example, access review emails and escalation flows). Use this when the “owner” is a human reviewer or approver and you mainly need nudges and escalation.

  • Use for: access review reminders, approval requests, review completion prompts.
  • Limitations: harder to centralize, correlate, and report across many controls.

Pattern B: Log-based alerts (best for “compliance operations”)

Route Entra audit/governance events to a SIEM or log store (Log Analytics / Sentinel), then write alert rules. This is the best long-term approach because you can measure trends, reduce noise, and prove controls.

If you’re not already exporting and centralizing Entra logs, do that first: How to export Entra ID logs efficiently.

Pattern C: Workflow-driven alerts (Logic Apps / Power Automate)

Use this when you want “alert + action” (create ticket, notify Teams channel, open a ServiceNow incident, start a remediation runbook). It’s also great when different controls notify different owners.

Step-by-step: Build a compliance alert the “right” way

Step 1: Define the control (make it testable)

  • Example control: “All guest users with access to Finance apps must be reviewed every 30 days.”
  • Pass condition: Review completed on time; removals enforced; exceptions documented.
  • Fail condition: Review overdue OR completion without enforcement OR repeated exceptions.

Step 2: Pick the signal (what data proves failure?)

Typical signals come from access reviews, entitlement management (access packages), and lifecycle workflows. When you’re unsure what to alert on, start by identifying the events in your tenant’s audit logs that correspond to the thing you care about (create/complete review, apply decisions, assignment created, workflow task failed).

Step 3: Decide the notification target (owner mapping)

  • Resource owner model: Alert the application/resource owner (best for app access).
  • Group owner model: Alert the group owner (best for group-based access).
  • Central governance model: Alert a compliance queue + assign tickets to owners (best at scale).

Step 4: Choose the delivery channel (email vs ticket vs SIEM)

  • Email/Teams: Good for reminders and quick fixes.
  • Ticketing: Best for SLAs, audit trails, and accountability.
  • SIEM: Best for correlation with security signals and reporting.

Step 5: Add guardrails (reduce noise, preserve evidence)

  • Deduplicate: alert once per review/campaign, not per event.
  • Throttle: alert on thresholds (e.g., “10+ overdue reviews”) not every single overdue instance.
  • Capture evidence: include who/what/when plus deep link to the governance object.

Example alert recipes (practical, copy-paste friendly)

The exact event names/fields vary by tenant configuration and log routing. Treat these as patterns: start broad, inspect results, then tighten.

Recipe 1: Alert when access reviews are overdue

Use this when completion itself is your compliance control. Start with access reviews fundamentals here: What are Access Reviews in Azure AD. 

// Pattern: find access-review activity and detect “no completion” within a window
// Replace table names and fields to match your log destination (AuditLogs, etc.)

AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName has_any ("Access review", "accessReview", "Review")
| summarize
    Started=min(TimeGenerated),
    LastEvent=max(TimeGenerated),
    Events=make_set(OperationName, 50)
  by CorrelationId, InitiatedBy=tostring(InitiatedBy.user.userPrincipalName)
| where LastEvent < ago(7d)   // example: no events for 7 days

Make this “real” by mapping it to your review cadence: if your review window is 14 days, alert on day 10 and escalate on day 14.

Recipe 2: Alert when access package assignments violate policy intent

Ideal when you use entitlement management for “who should have what” and want to catch bypasses or long-lived assignments. 

// Pattern: watch entitlement/access package assignments or changes
AuditLogs
| where TimeGenerated > ago(14d)
| where OperationName has_any ("Entitlement", "Access package", "assignment", "Catalog")
| project TimeGenerated, OperationName, Result, InitiatedBy, TargetResources, AdditionalDetails
| where Result !~ "success"  // alert on failures OR adapt to detect bypass patterns

A strong control here is “all access to X must be via access package.” Your alert becomes: “direct group membership added” or “direct app assignment added” for governed resources.

Recipe 3: Alert when lifecycle workflows fail (joiner/mover/leaver controls)

// Pattern: detect workflow/task failures (naming varies; start broad)
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName has_any ("Lifecycle", "workflow", "task")
| where Result !~ "success"
| project TimeGenerated, OperationName, Result, ResultReason=tostring(ResultReason), InitiatedBy, TargetResources

Recipe 4: Alert on high-risk deletes/changes that impact compliance evidence

Compliance breaks when identities disappear without traceability (especially leavers, guests, and privileged accounts). Build alerts for deletion activity and correlate it with governance workflows. See: How to detect user account deletions in Microsoft Entra ID.

Operational checklist

  • Start with 3–5 controls you can enforce end-to-end (avoid “alert-only” compliance theater).
  • Make owners explicit: resource owner, group owner, or governance queue.
  • Use tiers: reminder → escalation → ticket → incident (not everything is a P1).
  • Document exceptions: why, who approved, expiry date, next review date.
  • Prove closure: the alert isn’t “closed” until the access state matches the policy again.

Common pitfalls (and how to avoid them)

  • Alert spam: throttle, dedupe, and alert on thresholds or SLAs, not raw events.
  • Missing ownership: if you can’t name an owner, route to a governance queue with assignment rules.
  • No remediation path: every alert should include “how to fix” and a deep link to the object.
  • Disconnected telemetry: centralize logs early so you can correlate and report.
  • Ignoring guests: guest access drifts fastest—review it more frequently than employees.

Wrap-up: Build alerts as a governance system, not a notification system

The win isn’t “we got an email.” The win is “policy drift gets detected, assigned, remediated, and evidenced—every time.” Start small with a few high-value controls, centralize telemetry, and iterate until your governance alerts become a reliable compliance mechanism instead of background noise.

Related posts
Active Directory Fundamentals

Migrating from AD FS to Azure AD SSO

December 19, 2025
Active Directory FundamentalsActive Directory PoliciesUncategorized

Role-based access control (RBAC) in Azure

December 19, 2025
Active Directory Fundamentals

Federation strategies using Entra

December 19, 2025
Active Directory Fundamentals

Tracking privilege escalation in Azure AD

December 19, 2025
×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.