Detect and respond to security alerts

Appropriate roles: Admin agent

Applies to: Partner Center Direct Bill and Indirect Providers

You can subscribe to a new security alert for detections related to unauthorized party abuse and account takeovers. This security alert is one of the many ways Microsoft provides the data you need to secure your customer's tenants. You can subscribe to a new security alert for detections related to unauthorized party abuse and account takeovers. This security alert is one of the many ways Microsoft provides the data you need to secure your customer's tenants.

Important

As a partner in the Cloud Solution Provider (CSP) program, you're responsible for your customers' Azure consumption, so it's important that you're aware of any anomalous usage in your customer's Azure subscriptions. Use Microsoft Azure security alerts to detect patterns of fraudulent activities and misuse in Azure resources to help reduce your exposure to online transaction risks. Microsoft Azure security alerts don't detect all types of fraudulent activities or misuse, so it's critical that you use additional methods of monitoring to help detect anomalous usage in your customer's Azure subscriptions. To learn more, see Managing nonpayment, fraud, or misuse and Managing customer accounts.

Action required: With monitoring and signal awareness, you can take immediate action to determine whether the behavior is legitimate or fraudulent. If necessary, you can suspend affected Azure resources or Azure subscriptions to mitigate an issue.

Make sure that the preferred email address for your Partner Admin Agents is up-to-date, so they can be notified along with the security contacts.

Subscribe to security alert notifications

You can subscribe to various partner notifications based on your role.

Security alerts notify you when your customer's Azure subscription shows possible anomalous activities.

Get alerts by email

  1. Sign in to Partner Center and select Notifications (bell).
  2. Select My preferences.
  3. Set a preferred email address if you haven't already done so.
  4. Set the preferred language for the notification if you haven't already done so.
  5. Select Edit next to Email notification preferences.
  6. Check all boxes relating to Customers in the Workspace column. (To unsubscribe, unselect the transactional section under customer workspace.)
  7. Select Save.

We send security alerts when we detect possible security alert activities or misuse in some of your customers' Microsoft Azure subscriptions. There are three types of emails:

  • Daily summary of unresolved security alerts (count of partners, customers, and subscriptions affected by various alert types)
  • Near real-time security alerts. To get a list of Azure subscriptions that have potential security concerns, see Get fraud events.
  • Near real-time security advisory notifications. These notifications provide visibility into the notifications sent to the customer when there's a security alert.

Cloud Solution Provider (CSP) direct bill partners can see more alerts for activities, for example: anomalous compute usage, crypto mining, Azure Machine Learning usage, and service health advisory notifications. Cloud Solution Provider (CSP) direct bill partners can see more alerts for activities, for example: anomalous compute usage, crypto mining, Azure Machine Learning usage, and service health advisory notifications.

Get alerts through a webhook

Partners can register to a webhook event: azure-fraud-event-detected to receive alerts for resource change events. To learn more, see Partner Center webhook events.

See and respond to alerts through the Security Alerts dashboard

CSP partners can access the Partner Center Security Alerts dashboard to detect and respond to alerts. To learn more, see Respond to security events with Partner Center Security Alerts dashboard. CSP partners can access the Partner Center Security Alerts dashboard to detect and respond to alerts. To learn more, see Respond to security events with Partner Center Security Alerts dashboard.

Get alert details through API

Use the new Microsoft Graph Security Alerts API (Beta)

Benefits: Starting in May 2024, the preview version of the Microsoft Graph Security Alerts API is available. This API provides a unified API gateway experience across other Microsoft services such as Microsoft Entra ID, Teams, and Outlook.

Onboarding requirements: CSP partners who are onboarding are required to use the new Security Alerts Beta API. To learn more, see Use the partner security alert API in Microsoft Graph.

The Microsoft Graph Security Alerts API V1 version will be released in July 2024.

Use case APIs
Onboard to Microsoft Graph API to get Access Token Get access on behalf of a user
List Security Alerts to get visibility into the alerts List securityAlerts
Get Security Alerts to get visibility into a specific alert based on the query param selected. Get partnerSecurityAlert
Get token to call the Partner Center APIs for reference information Enable secure application model
Get your Organization Profile information Get an organization profile
Get your Customer information by ID Get a customer by ID
Get your Indirect Resellers information of a Customer by ID Get indirect resellers of a customer
Get Customer's Subscription information by ID Get a subscription by ID
Update alert status and resolve when mitigated Update partnerSecurityAlert

Support for the existing FraudEvents API

Important

The legacy fraud events API will be deprecated in CY Q4 2024. For more details, please look out for monthly Partner Center Security announcements. CSP partners should migrate to the new Microsoft Graph Security Alerts API, which is now available in preview.

During the transition period, CSP partners can continue to use the FraudEvents API to get extra detection signals using X-NewEventsModel. With this model, you can get new types of alerts as they're added to the system, for example, anomalous compute usage, crypto mining, Azure Machine Learning usage, and service health advisory notifications. New types of alerts can be added with limited notice, because threats are also evolving. If you use special handling through the API for different alert types, monitor these APIs for changes:

What to do when you receive a security alert notification

The following checklist provides suggested next steps for what to do when you receive a security notification.

  • Check to make sure the email notification is valid. When we send security alerts, they're sent from Microsoft Azure, with the email address: [email protected]. Partners only receive notification from Microsoft.
  • When you're notified, you can also see the email alert in the Action Center portal. Select the bell icon to see the Action Center alerts.
  • Review the Azure subscriptions. Determine whether the activity in the subscription is legitimate and expected, or whether the activity might be due to unauthorized abuse or fraud.
  • Let us know what you found, either through the Security Alerts dashboard or from the API. To learn more about using the API, see Update fraud event status. Use the following categories to describe what you found:
    • Legitimate - The activity is expected or a false positive signal.
    • Fraud - The activity is due to unauthorized abuse or fraud.
    • Ignore - The activity is an older alert and should be ignored. To learn more, see Why are partners receiving older Security Alerts?.

What other steps can you take to lower the risk of compromise?

What should you do if an Azure subscription has been compromised?

Take immediate action to protect your account and data. Here are a few suggestions and tips to quickly respond and contain a potential incident to reduce its impact and overall business risk.

Remediating compromised identities in a cloud environment is crucial for ensuring the overall security of cloud-based systems. Compromised identities can provide attackers with access to sensitive data and resources, making it essential to take immediate action to protect the account and data.

After malicious actors are evicted, clean the compromised resources. Keep a close eye on the affected subscription to make sure there's no further suspicious activity. It's also a good idea to regularly review your logs and audit trails to ensure that your account is secure.

Preventing account compromise is easier than recovering from it. Therefore, it's important to strengthen your security posture.

For more information, see the article support.

More tools for monitoring

How to prepare your end customers

Microsoft sends notifications to Azure subscriptions, which go to your end customers. Work with your end customer to ensure that they can act appropriately and are alerted of various security issues within their environment:

  • Set up usage alerts with Azure Monitor or Azure Cost management.
  • Set up Service Health Alerts to be aware of other notifications from Microsoft about security and other related issues.
  • Work with your organization's Tenant Admin (if this isn't managed by the Partner) to enforce increased security measures on your tenant (see the following section).

Additional information for protecting your tenant

If you suspect unauthorized usage of your or your customer's Azure subscription, engage Microsoft Azure Support so Microsoft can help expedite any other questions or concerns.

If you have specific questions regarding Partner Center, submit a support request in Partner Center. For more information: Get support in Partner Center.

Check security notifications under Activity logs

  1. Sign in to Partner Center and select the settings (gear) icon on top right corner, then select the Account settings workspace.
  2. Navigate to Activity logs on the left panel.
  3. Set the From and To dates in the top filter.
  4. In Filter by Operation Type, select Azure Fraud Event Detected. You should be able to see all security alerts Events detected for the selected period.

Why are partners receiving older Azure security alerts?

Microsoft has been sending Azure Fraud alerts since December 2021. However, in the past, alert notification was based on opt-in preference only, where partners had to opt in to receive notice. We've changed this behavior. Partners should now resolve all fraud alerts (including old alerts) that are open. To secure your and your customers' security posture, follow the Cloud Solution Provider security best practices.

Microsoft is sending the daily fraud summary (this is the count of partners, customers, and subscriptions affected) if there's an active unresolved fraud alert within the last 60 days. Microsoft is sending the daily fraud summary (this is the count of partners, customers, and subscriptions affected) if there's an active unresolved fraud alert within the last 60 days.

Why am I not seeing all the alerts?

Security alert notifications are limited to detecting patterns of certain anomalous actions in Azure. Security alert notifications don't detect and aren't guaranteed to detect all anomalous behaviors. It's critical that you use other methods of monitoring to help detect anomalous usage in your customer's Azure subscriptions, such as monthly Azure spending budgets. If you receive an alert that is significant and is a false negative, reach out to Partner Support and provide the following information:

  • Partner Tenant ID
  • Customer Tenant ID
  • Subscription ID
  • Resource ID
  • Impact start and impact end dates