How to Automate Microsoft 365 Role Change Notifications for Admin Oversight

Monitoring admin role changes in Microsoft 365 is essential for any organization, especially for MSPs. It helps prevent unauthorized role changes, which are considered early indicators of a breach or an insider threat.

If an admin accidentally escalates a user’s privileges without proper approval, they are inadvertently exposing their organization to malicious activities. Worse, these unexpected role escalations could lead to compliance violations of standards such as NIST, CIS, and ISO 27001.

However, manually tracking role change notifications across multiple tenants can be tedious and time-consuming. Automating alerts is the only way to effectively track role changes across multiple environments.

In this guide, we’ll show you how to automate role change notifications in Microsoft 365 using different built-in Windows tools. Keep reading to learn more about best practices for monitoring role changes.

How to set up automated role change notifications in Microsoft 365

Before we proceed, make sure the following requirements are in place:

📌 Prerequisites:

• Microsoft 365 tenant with global admin or privileged role management rights
• Microsoft Graph PowerShell SDK installed
• Unified Audit Log enabled via Microsoft Purview
• Exchange Online auditing permissions for reading audit events
• Registry access and RMM tools, like NinjaOne, for confirmation tagging (optional)
• Power Automate for low-code delivery (optional)

📌 Recommended deployment strategies:

Method 1: Enable and Verify Audit Logging

📌 Use Case: Ensures centralized audit logging is active across all Microsoft 365 services.

1.  Ensure the Unified Audit Log is enabled

Connect-ExchangeOnline

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

2. Check status

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled

This functionality must be active to collect role change events from Microsoft 365.

Method 2: Use PowerShell to Query Role Assignment Changes

📌 Use Case: Quickly check for recent role changes in a tenant’s Microsoft 365. This method is best for IT administrators managing a small clientele.

1. Query audit logs for role changes

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date) `

-Operations "Add member to role" `

-RecordType AzureActiveDirectory `

-ResultSize 1000

2. Filter output

$results | Select-Object CreationDate, UserIds, Operations, AuditData

Schedule this via Task Scheduler or your RMM platform to send out alerts for any detected role changes.

Method 3: Use Microsoft Graph API for Role Assignment Monitoring

📌 Use Case: Quickly check for recent role changes in a tenant’s Microsoft 365. This method is best for IT administrators managing a small clientele.

1.  Authenticate with Microsoft Graph

Connect-MgGraph -Scopes "RoleManagement.Read.Directory",

"AuditLog.Read.All"

2. Query role assignments

Get-MgRoleManagementDirectoryRoleAssignment

3. Compare with the previous state stored in a local file or registry to detect new assignments

# Export current state

$assignments = Get-MgRoleManagementDirectoryRoleAssignment | Select Id, PrincipalId, RoleDefinitionId

$assignments | Export-Csv "C:\Logs\CurrentRoles.csv" -NoTypeInformation

Automate comparison between the two states and send notifications if you detect any changes.

Method 4: Alert via Email or Teams When Changes are Detected

📌 Use Case: Use emails or Teams to automatically notify your stakeholders of any privileged role changes detected.

Example email trigger

Send-MailMessage -To "[email protected]" -From "[email protected]" `

-Subject "ALERT: Microsoft 365 Admin Role Change Detected" `

-Body "User JohnDoe was added to Global Admin on 2025-07-01T09:00Z" `

-SmtpServer "smtp.clientdomain.com"

💡 Tip: To receive real-time alerts, set up a Power Automate flow that triggers each time a relevant event is detected in the Microsoft 365 audit logs.

Method 5: Use Registry Keys to Track Last Audit Check

📌 Use Case: Track the last successful audit scan to ensure your scheduled scripts are running.

1. To store the timestamp of the last successful scan

New-Item -Path "HKLM:\SOFTWARE\Org\RoleChangeAudit" -Force

Set-ItemProperty -Path "HKLM:\SOFTWARE\Org\RoleChangeAudit" `

-Name "LastAuditRun" -Value (Get-Date).ToString("u")

2. To verify

reg query HKLM\SOFTWARE\Org\RoleChangeAudit

💡Tip: Use the registry keys to track the latest audit run and configure your RMM tool to send out alerts if the last timestamp hasn’t been updated recently. This step will help you monitor if your scripts are running properly.

Method 6: Use Group Policy to Restrict Local Role Elevation on Devices

📌 Use Case: Enforce role restrictions on Group Policy and prevent unauthorized local admin group changes on hybrid or co-managed devices.

GPO Path

Computer Configuration > Windows Settings > Security Settings > Restricted Groups

Make sure to define who should and shouldn’t be in local admin groups. This way, you can proactively prevent local users from making unauthorized group changes.

⚠️ Things to look out for

Keep these pitfalls in mind when following our guide:

Best practices for monitoring role changes in Microsoft 365

Here are some best practices for tracking role changes in Microsoft 365:

Exclude or tag service accounts differently

IT administrators typically use service accounts for automation or integration, meaning they can legitimately make role changes. If your alerting system doesn’t exclude these accounts from its searches, you’ll have hundreds of false positives in your logs.

That said, it’s best to list all trusted service accounts and exclude them from the alerts. You can also include a specific tag for their activities so that you can still keep track of their actions without causing any false alarms.

Create role expiration policies

Not all roles are meant to be permanent. Some companies would grant users temporary elevated access for specific projects and completely forget about them.

To prevent these outdated role assignments from becoming hidden security risks, build logic that automatically expires or removes roles after a specific period.

Use Just-In-Time (JIT) access wherever possible

Use Privileged Access Management (PAM) tools like Microsoft Entra PIM to enforce JIT access wherever possible. This feature allows users to request elevated permissions when needed and automatically revokes them after use.

Standardize role change monitoring across all tenants

If you manage multiple Microsoft 365 environments, use the same monitoring scripts or flows across all tenants to ensure consistency.

Never miss a critical role change notification with NinjaOne’s help

NinjaOne can help you keep track of Microsoft 365 role changes across all clients by:

• Scheduling and running PowerShell audit scripts across tenants
• Storing timestamped registry keys that verify if role audits are working
• Triggering alerts each time role changes are detected or audit intervals are missed
• Generating cross-client reports of current and previous role assignments
• Flagging risky endpoints with role assignment or privilege violations

With NinjaOne, you can identify potential security risks before they escalate.

Block unauthorized access by automating role change notifications in Microsoft 365

Administrative roles are among a company’s most sensitive resources. Malicious actors could easily exploit these permissions to steal sensitive information, or worse, launch security breaches undetected.

With these risks in mind, monitoring role changes in Microsoft 365 should be a must for any MSP.

Creating a notification system ensures that you can track, evaluate, and review every role escalation that occurs across all tenant environments.

Related topics:

• How to Use PowerShell to Automate Office 365 Installations
• 28 Essential IT Automation Examples for Proactive Monitoring, Alerting, and Remediation
• How to Enable or Disable “Show account-related notifications” on the Start menu in Windows 11