Create activity policies and alerts in Advanced Security Management

With Advanced Security Management in Office 365, you can set up advanced cloud management policies that trigger alerts for specific activities that happen or happen too frequently. For example, suppose a user tries to sign in to Office 365 and fails 70 times in one minute. Suppose another user downloads 7,000 files, or appears to be signed in from Canada, when that user is supposed to be in another location. You can set activity alerts to be notified when events like those occur, and specify certain actions to be taken, including suspending a user until you investigate what happened.

Note: Advanced Security Management in Office 365 policies are different from alert policies in the Office 365 Security & Compliance Center. The Activity Security Management policies described in this article are defined in the Advanced Security Management portal, and can help you manage your organization's cloud environment more securely.

Before you begin

Make sure that:

  • Your organization has Advanced Security Management in Office 365, which is available in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Security Management can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information about plan options, see Compare All Office 365 for Business Plans.

  • You are a global administrator or security administrator for Office 365.

Create a new activity policy

  1. In the Security & Compliance Center, choose Alerts, then Manage advanced alerts.

  2. From the Control menu, select Policies.

    Control policy menu
  3. Click Create policy, and then select Activity policy. (The very first time you create or edit a policy, you'll see Create policy in the center of the page, as well as in the usual place, to the right.)

    Activate policy
  4. On the Create activity policy page, type the Policy name and Description. You can base a new policy on one of the default templates, if you like, by choosing one in the Policy template drop-down menu.

    Create activity policy
  5. Choose a Policy severity (Low, Medium, or High) that measures how serious it is to you if this policy triggers an alert. You can use this value to filter alerts when you're reviewing them.

  6. Choose a Category for this policy. This is another way to help you filter and sort alerts that have been triggered, or to group policies when you're reviewing them to make changes.

  7. Choose Activity filters to set up other actions or metrics that will trigger an alert based on this policy.

    Activity settings
  8. Under Activity match parameters, select whether a policy violation will be triggered when a single activity matches the filters, or if a specified number of repeated activities is required before the alert triggers. If you select Repeated activity, set the following for the alert: The number of activities, the time frame, and whether a violation will count for a user within a specific app or for the same user with any app.

  9. Optionally, you can check Create alert to create additional Alerts to receive notifications from this policy (email or text message).

    Tip: When you set up an email notification, alerts are sent from Make sure that your email provider doesn't block emails sent from this address.

    Check Create Alert to create additional Alerts to receive notifications from this policy (email or text message).
  10. Choose the Actions that should be taken when an alert is triggered to suspend the user or require the user to sign in again to Office 365 apps.

Related topics

Advanced Security Management

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.