This chapter covers Microsoft 365 alert policies, a critical component of the Microsoft 365 Defender suite used to detect and respond to suspicious activities. For the MS-900 exam, alert policies appear in Domain 3 (Security) under Objective 3.1, and they represent approximately 5-8% of exam questions. Understanding how alert policies work, their default configurations, and how they integrate with the Microsoft 365 Defender portal is essential for answering scenario-based questions about threat detection and automated remediation.
Jump to a section
Think of an organization's Microsoft 365 environment as a large office building with multiple floors, rooms, and entry points. The building has a security camera system (Microsoft 365 alert policies) that monitors all activity. Each camera is configured to detect specific types of events: motion in a restricted area (e.g., a user downloading 100 files in 5 minutes), door alarms after hours (e.g., a sign-in from an unfamiliar location), or unusual noise patterns (e.g., a malware detection). The camera system doesn't record everything continuously; instead, it uses motion triggers and rules to capture only relevant clips. When a camera detects something, it sends a notification to the security console (Microsoft 365 Defender portal) and can trigger automated responses, like locking a door (blocking a user) or calling security (alerting an admin). The system has a central recording server (Unified Audit Log) where all clips are stored for review. Just as a security guard can adjust camera sensitivity (thresholds) or add new cameras (custom policies), an admin can fine-tune alert policies to reduce false positives. The key mechanic is that the cameras (policies) are independent but feed into a common console, and they can be set to alert only on patterns that match predefined suspicious behaviors, much like alert policies use activity thresholds and aggregation rules to surface real threats.
What Are Microsoft 365 Alert Policies?
Microsoft 365 alert policies are predefined or custom rules that automatically generate alerts when specific activities occur in the Microsoft 365 environment. They are part of the Microsoft 365 Defender suite and are managed in the Microsoft 365 Defender portal (security.microsoft.com). Alert policies help security teams detect potential threats, compliance violations, or operational issues by monitoring user and admin actions across Exchange Online, SharePoint Online, OneDrive for Business, Azure AD, Microsoft Teams, and other workloads.
Why Alert Policies Exist
Before alert policies, organizations relied on manual review of audit logs or third-party SIEM tools to detect suspicious activity. This was inefficient and often missed critical events. Alert policies automate detection by applying predefined logic to the Unified Audit Log (UAL). They reduce mean time to detect (MTTD) and enable automated responses like blocking a user or initiating an investigation.
How Alert Policies Work Internally
Alert policies operate through a three-stage pipeline: (1) Activity Triggering, (2) Aggregation and Threshold Evaluation, (3) Alert Generation and Notification.
Stage 1: Activity Triggering
Every user or admin action in Microsoft 365 generates an audit record in the UAL. For example, when a user signs in from a new IP address, an "User logged in" event is recorded with properties like UserId, IP address, Location, ClientApp, and Timestamp. Alert policies subscribe to specific event types. When an event matches the policy's conditions (e.g., event type is "MailItemsAccessed" and the operation is "MailboxLogin"), the policy engine evaluates the event.
Stage 2: Aggregation and Threshold Evaluation
Many alert policies use aggregation to reduce noise. Instead of firing an alert for every single event, the policy collects events that match a pattern over a time window. For instance, the policy "A user has sent more than 100 emails in 5 minutes" aggregates all "Send" events for a specific user within a 5-minute sliding window. If the count exceeds the threshold (100), an alert is triggered. The default aggregation window is 5 minutes for most policies, but this can be configured for custom policies.
Stage 3: Alert Generation and Notification
When the threshold is met, the alert policy generates an alert in the Microsoft 365 Defender portal. The alert includes:
Title: e.g., "Unusual volume of email sending"
Severity: Low, Medium, High, or Critical (based on policy configuration)
Category: e.g., "Threat management"
Source: The workload (e.g., Exchange Online)
Affected entities: User, IP, device, etc.
Description: Details of the triggering activity
Recommended actions: Steps to investigate or remediate
Additionally, the policy can send email notifications to a security distribution group or specific admins. The email is sent within 5 minutes of alert generation, but there may be a delay if the alert volume is high.
Key Components, Values, Defaults, and Timers
- Policy Types: - Predefined policies: Microsoft provides about 30+ default alert policies covering common scenarios like malware detection, impossible travel, risky sign-ins, and data exfiltration. These cannot be deleted but can be deactivated or modified (except for some critical ones). - Custom policies: Admins can create custom alert policies for specific needs, such as monitoring a sensitive SharePoint site or tracking deletion of large numbers of files.
- Default Alert Policies: - "Suspicious email sending patterns" – triggers when a user sends > 100 emails in 5 minutes. - "Malware campaign detected after delivery" – triggers when a malware campaign bypasses initial filters. - "Impossible travel" – triggers when a user signs in from two locations that are geographically distant within a time window shorter than the travel time. - "Risky sign-in" – triggers when Azure AD Identity Protection detects a risky sign-in. - "eDiscovery search started or exported" – triggers when an admin starts or exports an eDiscovery search.
Severity Levels:
Low: Minor policy violations or informational events.
Medium: Potentially harmful activities that warrant investigation.
High: Activities that are likely malicious or violate compliance.
Critical: Activities that indicate an active breach or severe data loss.
Aggregation Window: Default 5 minutes for most policies; can be set from 1 minute to 24 hours for custom policies.
Threshold: The number of events that must occur within the aggregation window to trigger an alert. For example, "A user has deleted more than 50 files in 5 minutes."
Email Notifications: Enabled by default for high and critical severity alerts. Can be configured to send to specific recipients. The notification includes a link to the alert in the Defender portal.
Configuration and Verification
Alert policies are managed in the Microsoft 365 Defender portal under Email & collaboration > Policies & rules > Alert policy. To view existing policies:
Navigate to https://security.microsoft.com/alertpoliciesTo create a custom alert policy: 1. Go to Alert policy > + New alert policy. 2. Name: e.g., "SharePoint mass download detection" 3. Description: Describe the purpose. 4. Severity: Choose High. 5. Category: Data loss prevention. 6. Choose a condition: e.g., Activity is "FileDownloaded" and IP address is not in the trusted IP range. 7. Set threshold: > 20 downloads in 5 minutes. 8. Notifications: Send email to security@contoso.com. 9. Review and create.
To verify alerts, check the Incidents & alerts > Alerts page. You can also use PowerShell to manage alert policies:
# Connect to Exchange Online PowerShell
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com
# Get all alert policies
Get-AlertPolicy | Format-Table Name, Enabled, Severity
# Create a new alert policy (example)
New-AlertPolicy -Name "Custom Policy" -Severity High -Category DataLossPrevention -Threshold 100 -TimeWindow 10Interaction with Related Technologies
Alert policies integrate deeply with: - Unified Audit Log: All events are recorded here. Alert policies query this log in near-real-time. - Microsoft 365 Defender: Alerts appear in the unified incidents queue, correlating with other signals like endpoint detection and response (EDR) alerts. - Azure AD Identity Protection: Risky sign-in alerts from Identity Protection can trigger alert policies. - Microsoft Purview Compliance: Data loss prevention (DLP) policies can generate alerts that are surfaced through alert policies. - Automated Investigation and Response (AIR): Some alert policies can trigger automated playbooks that investigate and remediate threats without manual intervention.
Common Misconfigurations
Setting thresholds too low: Causes alert fatigue with hundreds of false positives.
Setting thresholds too high: Misses real threats until it's too late.
Not enabling email notifications: Admins may not check the portal regularly.
Ignoring predefined policies: Many organizations disable or modify predefined policies without understanding their value, leading to blind spots.
Exam-Relevant Details
The MS-900 exam expects you to know that alert policies are part of Microsoft 365 Defender, not separate.
You should be able to identify scenarios where alert policies are the appropriate tool vs. DLP or retention policies.
Know the default aggregation window is 5 minutes.
Remember that alert policies can generate alerts based on a single event or aggregated events.
Understand that alerts can be viewed in the Microsoft 365 Defender portal under Incidents & alerts.
Define Alert Policy Conditions
The first step is to define what the alert policy will monitor. This includes selecting the activity type (e.g., 'FileDeleted', 'MailboxLogin'), the workload (Exchange Online, SharePoint, etc.), and any additional conditions like IP address range, user group, or file sensitivity label. For example, to detect mass file deletion, you would choose activity 'FileDeleted' and set a condition that the user is not an admin. The policy engine uses these conditions to filter audit log events. If the conditions are too broad, false positives increase; if too narrow, real threats may be missed.
Set Aggregation Threshold and Window
After defining conditions, you configure the aggregation behavior. You decide whether to alert on each occurrence or only when a threshold is met within a time window. For example, you can set 'Alert when: More than 50 files are deleted in 5 minutes'. The time window can range from 1 minute to 24 hours. The threshold is a numeric value. The policy engine counts matching events within the sliding window. Once the count reaches the threshold, an alert is generated. The engine then resets the count for that user or entity after the window expires.
Configure Severity and Notifications
Every alert policy has a severity level: Low, Medium, High, or Critical. This determines how the alert is prioritized in the Defender portal. You also configure notification settings: whether to send an email and to whom. By default, High and Critical alerts send email notifications to the security team. You can also integrate with Microsoft Power Automate to trigger custom workflows, such as creating a ticket in ServiceNow or posting to a Teams channel. Email notifications include a direct link to the alert for quick investigation.
Review and Enable Policy
Before enabling, review the policy summary. Check the estimated number of alerts per day based on historical data (if available). Ensure the policy name and description are clear. Once enabled, the policy starts monitoring in near-real-time. It may take up to 30 minutes for the policy to become fully active. You can test the policy by performing the monitored activity and verifying that an alert appears in the portal within a few minutes. If no alert appears, check the audit log to ensure events are being generated and the conditions are correct.
Monitor and Tune Alerts
After the policy is active, regularly review the alerts it generates. In the Microsoft 365 Defender portal, go to Incidents & alerts > Alerts to see all alerts. Analyze false positives and adjust the policy conditions or threshold accordingly. For example, if you get too many alerts for a legitimate process, you can add an exclusion condition (e.g., exclude a trusted service account). Tuning is an ongoing process to balance detection coverage with alert fatigue. Microsoft recommends reviewing alerts at least weekly and adjusting policies based on threat landscape changes.
Enterprise Scenario 1: Detecting Data Exfiltration via Mass Download
A large financial services company with 10,000 employees uses SharePoint Online to store sensitive client documents. They need to detect when an employee downloads an unusually large number of files in a short period, which could indicate data exfiltration. They create a custom alert policy named "Mass Download Detection" with the following configuration:
Activity: FileDownloaded
Conditions: IP address not in trusted corporate range (to exclude office downloads)
Threshold: > 50 files in 10 minutes
Severity: High
Notifications: Email to security team and a Teams webhook
In production, this policy generates about 5-10 alerts per week. Most are false positives from users on VPN (VPN IPs are not always in the trusted range). They add the VPN IP range to the exclusion list, reducing false positives to 1-2 per week. Performance is not an issue because the policy engine scales automatically. However, during a merger, thousands of files were legitimately migrated, causing a spike. They temporarily disabled the policy. Misconfiguration could occur if the threshold is set too low (e.g., 10 files), causing alert fatigue, or too high (e.g., 500 files), missing real exfiltration.
Enterprise Scenario 2: Detecting Impossible Travel
A global consulting firm with offices in New York, London, and Tokyo uses the predefined "Impossible travel" alert policy. This policy detects when a user signs in from two geographically distant locations within a time window that makes travel impossible. For example, a sign-in from New York at 9:00 AM and from London at 9:30 AM would trigger an alert because the travel time is at least 7 hours. The policy uses Azure AD Identity Protection data and the user's typical sign-in patterns. In production, the policy generates about 20 alerts per month. Many are false positives due to VPNs or mobile devices that route through different data centers. The security team uses the alert to investigate and often finds that the user was using a VPN or had a mobile device with location spoofing. They tune the policy by excluding trusted IP ranges and known VPN exit points. A common misconfiguration is not updating the trusted IP list regularly, leading to excessive false positives.
Enterprise Scenario 3: Monitoring Admin Actions
A healthcare organization subject to HIPAA must monitor all admin actions in Exchange Online and SharePoint. They use the predefined "eDiscovery search started or exported" alert policy to track when an admin runs an eDiscovery search or exports results. This policy triggers an alert for each occurrence (no aggregation) with severity Medium. The security team receives email notifications and reviews the search queries to ensure they are legitimate. In production, this generates about 10 alerts per day from the compliance team's routine searches. To reduce noise, they create a custom policy that excludes the compliance team's service account. They also set up a Power Automate flow to automatically log the alert to a SIEM system. Misconfiguration could occur if the policy is disabled accidentally, leading to undetected unauthorized eDiscovery activities.
MS-900 Objective Coverage
This section aligns with Objective 3.1: Describe the capabilities of Microsoft 365 security and compliance solutions. Specifically, alert policies are part of Microsoft 365 Defender (formerly Microsoft 365 security center). The exam may ask you to identify which tool to use for a given scenario: alert policies vs. DLP policies vs. retention policies vs. Azure AD Identity Protection. You must know that alert policies are for detecting suspicious activities, while DLP policies are for preventing data loss.
Common Wrong Answers and Why Candidates Choose Them
Wrong answer: 'DLP policies should be used to detect mass file downloads.' Candidates confuse detection (alert policies) with prevention (DLP). DLP policies can block actions but are not designed for detection based on volume thresholds. Alert policies are the correct answer because they can aggregate events and trigger alerts on thresholds.
Wrong answer: 'Alert policies are configured in the Microsoft 365 admin center.' Many candidates think all security settings are in the admin center (admin.microsoft.com). In reality, alert policies are in the Microsoft 365 Defender portal (security.microsoft.com). The admin center only has limited security settings.
Wrong answer: 'Alert policies can automatically block a user's access.' While alert policies can trigger automated investigations, they do not directly block users. Automated blocking requires integration with Azure AD Conditional Access or Microsoft 365 Defender's automated remediation capabilities. The exam may test this distinction.
Wrong answer: 'All alert policies are predefined and cannot be modified.' Actually, many predefined policies can be modified (e.g., change severity, notification recipients) and custom policies can be created from scratch.
Specific Numbers and Terms That Appear on the Exam
Default aggregation time window: 5 minutes
Severity levels: Low, Medium, High, Critical
The predefined policy for suspicious email sending triggers at >100 emails in 5 minutes
Alert policies are found in the Microsoft 365 Defender portal under Email & collaboration > Policies & rules > Alert policy
Alerts appear in Incidents & alerts > Alerts
Edge Cases and Exceptions
Some predefined alert policies (e.g., for malware campaigns) cannot be disabled or modified.
Alert policies work only if audit logging is enabled. If audit log is disabled, no alerts will be generated.
For some activities, the alert may be delayed by up to 30 minutes due to processing time.
Alert policies can monitor multiple workloads simultaneously, but each policy is limited to one workload per condition set (though you can create multiple conditions within the same policy).
How to Eliminate Wrong Answers
When you see a scenario question about detecting suspicious activity, ask: "Is the goal to detect and alert, or to prevent and block?" If detection and alerting, the answer is alert policies. If prevention, look for DLP or retention policies. Also, check the location: if the answer mentions "Microsoft 365 admin center", it's likely wrong because security policies are in the Defender portal. Finally, look for keywords like "threshold", "aggregation", "time window" – these are characteristics of alert policies.
Alert policies are part of Microsoft 365 Defender and are used to detect suspicious activities by monitoring audit log events.
Policies have a default aggregation time window of 5 minutes; custom policies can set windows from 1 minute to 24 hours.
Threshold-based policies require a certain number of matching events within the time window to trigger an alert.
Severity levels: Low, Medium, High, Critical; High and Critical send email notifications by default.
Predefined alert policies cover common scenarios like impossible travel, mass email sending, and malware detection.
Custom alert policies can be created for specific needs, such as monitoring a sensitive SharePoint site.
Alert policies do not block actions; they only generate alerts. Blocking requires other tools like DLP or Conditional Access.
Alerts are viewed in the Microsoft 365 Defender portal under Incidents & alerts > Alerts.
Audit logging must be enabled for alert policies to function.
The MS-900 exam expects you to know the difference between alert policies and DLP policies.
These come up on the exam all the time. Here's how to tell them apart.
Alert Policies
Detect suspicious activities based on thresholds and patterns
Generate alerts and notifications only
Monitor activities like mass downloads, impossible travel, admin actions
Configured in Microsoft 365 Defender portal
No automatic blocking; may trigger automated investigation
DLP Policies
Prevent data loss by blocking or warning users
Can block actions (e.g., block sending sensitive email) or show policy tips
Monitor sensitive data patterns (e.g., credit card numbers, PII)
Configured in Microsoft Purview compliance portal
Can enforce actions like blocking, encrypting, or quarantining
Mistake
Alert policies can block user actions immediately.
Correct
Alert policies only generate alerts and notifications. They do not block actions. Blocking requires integration with Azure AD Conditional Access, DLP policies, or Microsoft 365 Defender automated remediation. The alert can trigger a playbook that blocks the user, but the policy itself does not block.
Mistake
Alert policies are only for security threats, not compliance.
Correct
Alert policies cover both security and compliance scenarios. For example, there are predefined policies for eDiscovery search started or exported, which is a compliance activity. The category can be 'Data loss prevention', 'Threat management', or 'Compliance'.
Mistake
All alert policies are enabled by default.
Correct
While many predefined alert policies are enabled by default, some are disabled. For example, the 'Malware campaign detected after delivery' policy may be disabled if not needed. Admins can enable or disable any policy (except critical ones).
Mistake
Alert policies require a Microsoft 365 E5 license.
Correct
Alert policies are available with any Microsoft 365 subscription that includes Exchange Online and SharePoint Online. However, advanced features like automated investigation and response (AIR) require E5. Basic alerting is available in E3.
Mistake
You can only have 10 alert policies.
Correct
There is no hard limit on the number of alert policies. However, Microsoft recommends keeping the number reasonable to avoid performance issues. In practice, organizations often have 50-100 policies.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default aggregation time window is 5 minutes for most alert policies. This means that the policy counts matching events within a sliding 5-minute window. If the count exceeds the threshold, an alert is generated. For custom policies, you can set the window from 1 minute to 24 hours. The exam may test this default value, so remember 5 minutes.
No, alert policies themselves do not block users. They only generate alerts and send notifications. However, you can configure automated investigation and response (AIR) playbooks that can take actions like disabling a user account or revoking sessions. But the policy itself is only for detection and alerting. For blocking, you would use Azure AD Conditional Access or DLP policies.
Alert policies are configured in the Microsoft 365 Defender portal at security.microsoft.com. Specifically, navigate to Email & collaboration > Policies & rules > Alert policy. They are not in the Microsoft 365 admin center (admin.microsoft.com). The exam often tests this location.
An alert policy is for detecting suspicious activities based on thresholds and patterns (e.g., mass downloads, impossible travel). It generates alerts and can trigger automated investigations. A DLP policy is for preventing data loss by identifying and protecting sensitive information (e.g., credit card numbers). DLP policies can block actions, show warnings, or encrypt data. Alert policies are in the Defender portal; DLP policies are in the Purview compliance portal.
Yes, you can create custom alert policies for specific scenarios not covered by predefined policies. For example, you can create a policy to monitor when a specific user downloads files from a sensitive SharePoint site. Custom policies allow you to define the activity, conditions, threshold, time window, severity, and notifications.
If audit logging is disabled, alert policies will not generate any alerts because they rely on the Unified Audit Log to detect activities. You must enable audit logging in the Microsoft 365 Defender portal or via PowerShell (Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true). This is a common exam point.
Alerts are viewed in the Microsoft 365 Defender portal under Incidents & alerts > Alerts. You can filter by severity, status, category, and source. Each alert shows details like the triggering activity, affected users, and recommended actions. You can also integrate alerts with SIEM systems via APIs.
You've just covered Microsoft 365 Alert Policies — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?