How to enable Alert Policies to monitor for unusual activities in SharePoint Online
When you store your company’s documents in SharePoint, a valid concern is data integrity. Is my data in SharePoint Secure? was one of the articles I wrote a while back. It addressed the concern of whether or not the data stored in SharePoint and OneDrive is safe and secure. The data loss can occur in one of two scenarios: security compromise at Microsoft data centers or a human (employee) factor (by accident or intentional). Most likely, each organization, large or small, is concerned about data loss due to rogue employees or inadvertent mishandling of its files and folders due to user error.
While user errors or intentional mishandling of documents can happen as a result of the mass download of company documents or external sharing to unauthorized users, probably the worst offense is when the files and folders are deleted in bulk from a given SharePoint site, which can eventually result in irreversible damage if there is no backup in place.
Luckily, there is a way to set up alert policies for such behaviors, so you are notified immediately after such issues occur.
How to enable Alert Policies to monitor for unusual activities in SharePoint Online
Policy alerts are available within the Microsoft Purview (Compliance Center). So you need to be either a Global Microsoft 365 Admin or be given a direct role to access the Compliance Center.
- From the Microsoft 365 App Launcher, click Compliance
- Once in Microsoft Purview (Compliance Center), click Policies > Alert policies
- You will now be on a screen where you can create alert policies. You will probably note that some default policies for most common scenarios already exist. For example, you will notice two policies that could be of interest to you: Unusual volume of file deletion and Unusual external user file activity
- However, those are built-in/default policies, and you will not be able to alter their logic/triggers. For example, the Unusual volume of file deletion policy assumes that the “unusual” number is based on AI/your company’s SharePoint usage, and you can’t really control it. You will be able to turn it off, if necessary.
- To create a new custom alert policy, click New alert policy
- Next, give it a Name. You can then choose its Severity and Category (those have nothing to do with the trigger and are just ways for you to categorize a given policy for your own benefit). Click Next.
- On the next screen, you will set up a trigger. You can choose from a list of available triggers/activities; in our case, the activity is file deletion.
- Just below triggers, you will need to choose the conditions for the alert. Please note that if you do not see this option, that means you do not have the proper license and will need to purchase a more expensive license to customize these settings. In my case, I am setting up an alert when a user deletes 15 or more files within 1-hour span.
- On the final setup screen, you can specify to who the alert will be emailed to. You can also limit how many of these alert emails you want to get within a day. Click Next.
- Finally, you can review the settings and enable the alert policy immediately by clicking Finish
- You will now see the policy created, and it will be part of a table where the other alert policies are stored (default or custom)
Important Notes
- It does take up to 24 hours for the alert policies to take effect. (Image below courtesy of Microsoft)
- Some settings I describe might not be available in your tenant due to licensing. Make sure you have proper licensing assigned to the Admins. (Image below courtesy of Microsoft)
- As mentioned above, Default policies cannot be altered and are based on internal logic. (Image below courtesy of Microsoft)
Policy Alert in action
Once the suspicious activities match the trigger you specified in policy alerts, the recipients you specified during alert policy creation will receive an email similar to the one below
Example of the email received by an Administrator or designated recipients when the alert policy is triggered
Clicking Alert Details from the email above provides additional details on the Activity (in the use case above, it notified the Administrator that the user shared a document externally – this was another alert policy I set up in my tenant).
Alternatives to Alert Policies
The above-mentioned policy alert might be an excellent mechanism to be notified as soon as destructive activities occur in your tenant. However, you can also be a bit more proactive and set up other mechanisms that complement (or replace) the policy alerts.
Retention policies
Setting up proper retention or record policies will prevent content from being deleted in the first place. I explained this in a previous post.
Security and permissions
Quite often, things happen on a given site or team simply because users have access to the content when they should not have. So avoid oversharing and make sure proper security and permissions are set up.
Training
Finally, do not forget Training. Many things happen not because of bad intentions, but rather by accident and lack of knowledge and understanding of what happens due to certain actions in SharePoint and Teams. So do not ignore some basic training for your staff.