Skip to main content

Overview

This recipe creates a scheduled agent that runs daily to check for new admin role assignments across your connected M365 tenants. If any new privileged role assignments are detected, the agent sends a Teams notification so your team can verify they’re authorized.
This is a scheduled agent — it runs on a cadence without processing a specific ticket. See Scheduled Agents for how this works.

How it works

  • Agent runs daily (e.g., 7:00 AM) and queries directory role assignments and audit logs across connected tenants
  • If new admin role assignments are found in the last 24 hours, sends a Teams alert with details
  • If nothing new is found, the agent completes silently

Setup

1

Create the agent

  • Name: “M365 Admin Role Monitor”
  • Type: Agent
  • Trigger: Scheduled
  • Cadence: Daily at 7:00 AM (or your preferred time)
2

Configure M365 integration permissions

Ensure your M365 integration has these permission groups enabled at Read Only (minimum):
  • Directory Roles — to list current role assignments
  • Audit & Reports — to query audit logs for recent changes
3

Enable communication tools

Enable Send Teams Message (or Send Internal Email) so the agent can alert your team when new assignments are found.
4

Write custom instructions

For each connected M365 tenant:

1. Query the directory audit logs for the last 24 hours, filtering for
   role assignment events ("Add member to role")
2. Focus on privileged roles: Global Administrator, Exchange Administrator,
   SharePoint Administrator, Security Administrator, Privileged Role
   Administrator, Teams Administrator, Intune Administrator
3. For each new assignment found, collect:
   - The user who was assigned the role
   - Which role was assigned
   - Who performed the assignment
   - When it occurred
4. If any new assignments are found, send a Teams message to the
   security-alerts channel with a summary table of all findings
5. If no new assignments are found in any tenant, do not send any message
5

Test and enable

  • Enable test mode for the first run
  • Review the execution log in Event History after the first scheduled run
  • Once satisfied, disable test mode and enable the workflow

Variations

Alert via ticket instead of Teams

Replace the Teams notification with a Create New Ticket instruction. The agent will create a ticket in your PSA when unauthorized changes are detected, letting your team track remediation through your normal workflow.

Include all role changes (not just additions)

Expand the audit log query to also include role removal events. This gives visibility into both escalations and de-escalations of privilege.

Best practices

  • Run at a consistent time each day so your team knows when to expect alerts
  • Keep the privileged role list focused on the most critical roles to reduce noise
  • Consider creating a dedicated Teams channel for these security alerts