Notify user when Temporary Access Pass was registered for him
This is a guide to setup a custom solution, built on Azure to notify end users when a Temporary Access Pass (TAP) was registered for them. This can come from the following intentions:
- When a TAP was registered by an admin for the user, his default modern sign in prompt will ask him for the TAP default, not password — this can lead into confusion
- Security notification — when anyone has access to a users personal data and his account, this should trigger a notification/alert
- It is an IT security requirement
Prerequisites
- Azure subscription, Resource group, Azure Log Analytics Workspace
- Entra diagnostics settings “Audit Logs” are forwarded to a Log Analytics Workspace
Setup
Important: you don’t need an Alert rule, if you set the Logic App up with a schedule. But this will cause more Logic App runs and no Alerts in Azure Monitor.
Alert rule 🚨
Create a new Alert rule in Azure Monitor:
Add a Scope, choose your Log Analytics Workspace here:
Chose a Custom log search as signal and insert this query:
The query looks up for the TAP action type in the AuditLogs.
AuditLogs
| where ResultDescription == "Admin registered temporary access pass method for user"
| extend UserPrincipalName = TargetResources[0].userPrincipalName
| project UserPrincipalName, OperationName, ResultDescription, InitiatedByEdit the alert logic to be triggered when ‘greater than 0’ events where found — essentially when any event was retrieved.
Create a new action group:
Add Logic App as Action type and specify the Logic App.
Important: make sure the Logic App exists at this time and has no triggers or an “When a HTTP request is received” trigger.
Give your Alert a custom name and choose a severity and description if you want.
Logic app 💡
Create a Logic App in Azure and equip it with the consumption plan.
Ensure the Managed Identity is enabled and add an Azure role assignment. (Learn more about Managed Identities)
Add the following role:
Scope: Resource group
Subscription: your subscription
Resource group: where your Log Analytics Workspace is located
Role: Log Analytics Reader
Set the Logic app up with the following parts.
There must be a connection initially configured for the “Run query and list results” part.
Insert this query here (essentially does the same as the query above, but here I specify the time range in the query)
AuditLogs
| where ResultDescription == "Admin registered temporary access pass method for user"
| extend UserPrincipalName = TargetResources[0].userPrincipalName
| where TimeGenerated >= ago(10m)
| project UserPrincipalNameAdd “Send an email” and choose the dynamic content UserPrincipalName as recipient.
This also requires an initial connection to add a sender email address/account. Ideally create a service account/noreply address for this.
Add a subject and body — see this sample:
Dear user,
A Temporary Access Pass was issued for your account that has full access to all your data and account.
If you think this action was illegitimate, please contact your IT support.
Best,
your IT department
(hint: if this dynamic content is not shown, click on see more)
It will add a “For Each” loop, since there could be multiple events — this is a normal behavior.
Sample
Let’s play admin and create a TAP for a user:
This is how the mail to the user then looks like:
The whole solution is pretty fast, the only part which requires some time is until the audit events are forwarded to the LAW. Overall, the user should get notified within 20 minutes after an admin issued a TAP.
