A few days ago, I was doing some maintenance on my company’s Lifecycle Workflows and discovered that one of the Lifecycle workflows had the same failed task every time the Lifecycle workflow had run. The task is a Custom Extension task (PowerShell based). This got me thinking about how I could get a notification when any task running in a Lifecycle Workflow fails?
After some thinking and using KQL to find the failures in the Entra ID Audit logs. I decided on creating a Log search alert rule, the reason for this because I didn’t want to create some PowerShell code that would fetch the status for all Lifecycle Workflows every 30 min or something like, I wanted it to be event based, so when it happens, i get an email telling me about it.
If you have Custom Task extensions running in your Lifecycle Workflows based on PowerShell for example, odds are that it might fail at some point and then it would be handy to get an alert email rather than a helpdesk ticket from a user, so you proactively correct the error(s).
You can check the status of all your Lifecycle workflows in Workflow Insight tab in Entra ID Governance:
In this blog post I want to share with you how to can set up monitoring of Lifecycle workflows using a log search alert rule – Here is how I did it:
The solution is as I mentioned based on a Log search alert rule. You can create an alert rule pretty easily if you have a Log Analytics workspace that contains AuditLogs from Entra. If you don’t have it, you should REALLY set it up! – This article from Microsoft explains how to create a Log Analytics workspace – Create Log Analytics workspaces – Azure Monitor | Microsoft Learn – After you have created that, head over to the Entra ID portal and select Diagnostic settings – Here is the direct link: https://portal.azure.com/#view/Microsoft_AAD_IAM/DiagnosticSettingsMenuBlade/~/General – Select + Add diagnostic settings
Now select AuditLogs and then select the Log Analytics workspace and then press save.
If you haven’t setup the AuditLogs up before now, you won’t be able to see any logs the past, but now you are ready for the future at least.
Creating the monitoring rule
To create a monitoring rule, navigate to the Log Analytics workspace and select Logs and type in the following KQL query:
Or you can use this KQL query – This will ‘trimme’ the output so that it’s more readable and provide you with the need information to identity the Lifecycle Workflow that has a failed task. You can use either to create the monitoring rule
Now select + New alert rule when you are ready to create the rule
You will then be presented for the KQL query you type in alongside a lot of configurations options. They only thing you need to change here is the Threshold value, that should be set to 0. That means when the query runs, you will get an alert if the results of that is greater than 0.
When you have done that, press Next: Actions in the bottom, you will then be presented with the option create the mail configuration.
You need to provide a name for an Action group and a display name for that Action group, and then add an email address that will receive the notification. (I’ll recommend an Exchange online distribution list) When you have filled out the information, press save, and then Next: Details
The final step is to create a name for the Alert rule, a description and what resource group the alert rule should be created in (Like all Azure resources you create). You should also select Severity, the default is informational – I have selected Warning instead of informational, but the choice is yours to make.
When you are done, select Review + create and then Create at the bottom.
You have now created the alert that will send you an email every time and Lifecycle workflow task is not successful.
The alert email you receive will look like this:
You can then click the link View query results where it says Search results. Here you will be able to see more details about what Lifecycle flow that has a failed task, you can then navigate to that Lifecycle workflow in Entra ID Governance to investigate further.
