Skip to Content
SecurityThreat ProtectionAlert Policies

Alert Policies

Configure alert rules that notify administrators when specific security events or thresholds are detected.

Default Alert Policies

Microsoft 365 includes built-in alert policies for common security events. These can be customized but not deleted.

Custom Alert Policies

Create custom policies based on:

  • Activity type — Admin actions, user actions, mailbox events
  • Conditions — Severity, user, IP address, location
  • Threshold — Trigger after N occurrences in time window
  • Recipients — Email, Teams, or webhook notification

Severity Levels

SeverityExamples
CriticalAdmin consent to risky app, mass file deletion
HighMalware detected, suspicious forwarding rule
MediumUnusual sign-in pattern, DLP policy match
LowUser reported phishing, password change

API Reference

  • GET /api/security/alert-policies — List alert policies
  • POST /api/security/alert-policies — Create policy
  • PUT /api/security/alert-policies/:id — Update policy
Last updated on
Threat AnalyticsAnti-Malware