Browse all topics
All guidesGlossary
Microsoft 365 essentials

Microsoft 365 monitoring and alerts

How to monitor a Microsoft 365 tenant — service health, audit logs, security alerts, and third-party tooling.

Microsoft 365 is a SaaS service, but it still benefits from monitoring — not for uptime (Microsoft handles that), but for tenant-specific issues: misconfigurations, security events, usage anomalies, integration failures. Knowing what to watch and where to watch it is half the battle.

Microsoft-hosted dashboards

The core surfaces built into Microsoft 365:

  • Service Health at admin.microsoft.com → Health — current and historical incidents affecting your tenant.
  • Message Center — upcoming changes.
  • Microsoft 365 Adoption at admin.microsoft.com → Reports — usage data per workload.
  • Microsoft Secure Score at security.microsoft.com/securescore — security posture scoring.
  • Microsoft Compliance Manager at purview.microsoft.com — compliance posture against frameworks (ISO 27001, NIST, etc.).
  • Defender XDR at security.microsoft.com — security incidents, alerts, hunting.
  • Entra ID sign-in logs — authentication activity, user-level detail.
  • Audit log — every administrative action across the tenant.

What to watch

A practical minimum:

Identity

  • Failed sign-ins — patterns of failed authentication, especially across many users (password spray).
  • Risky sign-ins — Identity Protection signals.
  • MFA fatigue patterns — repeated MFA prompts that the user eventually approves out of frustration.
  • Privileged role activations — every PIM activation is logged.

Mail

  • Bulk mail sent — sudden spike from any account.
  • Forwarding rules created — common indicator of compromised account.
  • Quarantine release rates.

Files

  • Mass downloads from OneDrive or SharePoint.
  • Anonymous link creation for sensitive content.
  • External sharing patterns.

Apps

  • OAuth consent grants — particularly to apps requesting broad Graph permissions.
  • New service principals being created.

Capacity

  • Mailbox quota approaching limits.
  • OneDrive storage approaching tenant pool limits.
  • SharePoint storage for the tenant.
  • Defender capacity consumption.

Alerting on the activity

Microsoft 365 offers built-in alert policies in the Defender portal and Purview compliance portal. Custom alerts can fire on:

  • Audit log activity matching a query.
  • Sensitivity label application or removal.
  • DLP rule matches.
  • Defender XDR correlated incidents.

Alerts can route to email, Teams (via Power Automate), or any SIEM via the Office 365 Management Activity API.

Microsoft Sentinel

For organisations wanting a proper SIEM, Microsoft Sentinel ingests logs from Microsoft 365 (free for most Microsoft 365 sources via Defender XDR integration) plus third-party sources (firewalls, network gear, custom apps). Sentinel adds:

  • Long-term log retention.
  • Cross-source correlation rules.
  • Automation playbooks (Logic Apps).
  • Custom hunting at scale.

Defender XDR + Sentinel together cover most enterprise monitoring needs.

Third-party tools

For organisations not running Sentinel:

  • Splunk, Elastic, Datadog, Sumo Logic, Cribl all have Microsoft 365 connectors.
  • CoreView, Quadrotech (Quest), Hornbill for tenant-management-specific monitoring.
  • Cisco Talos, Mimecast, Vade for email-side anomaly detection (when used alongside Microsoft).

A starter monitoring runbook

For a tenant that has nothing in place today:

  1. Turn on Defender XDR alerts with default policies.
  2. Connect Entra ID sign-in logs to Defender XDR / Sentinel.
  3. Enable Purview audit (on by default, with extended retention on E5).
  4. Configure Teams notifications for high-severity Defender XDR incidents via Power Automate.
  5. Set a weekly digest of Secure Score progress to the security team.
  6. Review monthly the usage reports for unusual patterns.

That gets you from "blind" to "aware" in a couple of days. Maturity comes with iteration.