🛡️ Recipe · Security & Compliance

Generate a weekly VIP/admin sign-in anomaly report

Detect unusual sign-in patterns for privileged and executive accounts in Microsoft 365

Complexity

Intermediate

Impact

security + compliance + monitoring + privileged-access + reporting

Context

Why This Matters

VIP accounts (executives, board members) and privileged admin accounts are the highest-value targets in any Microsoft 365 tenant. Attackers routinely use password spray, credential stuffing, and session hijacking against these identities, and a single compromise can lead to tenant-wide impact.

A weekly sign-in anomaly report gives your security team a rhythm for catching early-stage attacks — repeated failures, impossible-travel events, sign-ins from unfamiliar geographies, and abnormal activity frequency — before they escalate into incidents. Running this on a schedule (rather than only reacting to alerts) ensures coverage of low-and-slow attacks that might not trigger Conditional Access or Identity Protection in real time.

Run this recipe every Monday morning as part of your security operations cadence, or any time after a known threat campaign targeting executives.

Expected Outcomes

A consolidated list of all directory role holders (admins) and members of VIP/Executive/Leadership groups
Sign-in log analysis for each VIP/admin covering the past 7 days
Anomaly flags: ≥5 failed sign-ins, sign-ins from new countries, sign-ins outside business hours, sign-ins at abnormal frequency
A prioritized list of accounts requiring follow-up (password reset, session revoke, MFA re-registration, or user contact)
A CSV/HTML report suitable for sharing with the security team and leadership

Risks & Considerations

Compliance & Privacy

Sign-in logs contain IP addresses and location data — treat the report as confidential and store it in a controlled location
Some jurisdictions (EU/GDPR) require that access to employee sign-in data be logged and justified

Operational Gotchas

AuditLog.Read.All is a sensitive permission — grant it only to a dedicated service principal or reporting account, never to an interactive user unnecessarily
Sign-in logs are retained for 30 days on Entra ID P1/P2 licenses. Tenants on free tier only retain 7 days
"Unfamiliar location" is subjective — baseline at least 30 days of sign-in history before flagging first-seen countries as anomalous, or you'll get false positives for business travelers
Service accounts and break-glass accounts may appear as anomalies by design — maintain an allow-list

What NOT to do

Don't auto-disable accounts based on this report — always have a human confirm before taking account actions on executives
Don't email the raw report to distribution lists; it's a disclosure risk

Required Permissions

Permission	Why It's Needed
RoleManagement.Read.Directory	List members of directory roles (Global Admin, Security Admin, etc.) to identify privileged accounts
Group.Read.All	Enumerate VIP/Executive/Leadership groups and their members
AuditLog.Read.All	Read sign-in logs to analyze authentication patterns and failures
User.Read.All	Resolve user details (display name, UPN, department) for the report

The fastest way to get this done — just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Generate a weekly sign-in anomaly report for all VIP and admin accounts. Pull the last 7 days of sign-ins, flag accounts with repeated failures, unfamiliar locations, or abnormal frequency, and recommend follow-up actions (reset password, revoke sessions, contact user) for each flagged account.

Try in Dex CoAdmin