Skip to content

Configure the Add Member to Microsoft 365 Group alert for the Splunk Add-on for Microsoft Office 365

Complete the steps to configure and use the Add Member to Microsoft 365 Group alert for the Splunk Add-on for Microsoft Office 365:

  1. Before you begin, you must manage tenants for the add-on. See Manage accounts for the Splunk Add-on for AWS.
  2. Configure permissions of application for alert.
  3. Create the search query.
  4. Use the alert action.

To use the alert actions included in the Splunk Add-on for Microsoft Office 365, you must either be an administrator or a user with the appropriate capability:

  • list_storage_passwords

Configure application permissions for the Add Member to Microsoft 365 Group alert

Required permissions for Microsoft Entra ID application:

  • GroupMember.ReadWrite.All

Use the alert action

To create a new alert action, follow these steps:

  1. In Splunk Web, navigate to the Search & Reporting app.
  2. Write a search string that you want to use to trigger the alert. The following example demonstrates how to form a search string.

Splunk search example

… | eval group_id=”group_id” | eval member_id=”membor_id”

  1. Click Save As > Alert.
  2. Fill out the Alert form. Give your alert a unique name and indicate whether the alert is a real-time alert or a scheduled alert. For more information, see Getting started with alerts in the Alerting Manual .
  3. Under Trigger Actions, click Add Actions.
  4. From the list, select Add Member to Microsoft 365 Group Alert.
  5. Enter values for all required fields, as shown in the following table, and click Save:
Field Description
Tenant Name Required. The tenant name configured in Splunk Add-on for Microsoft Office 365.
Group ID Required. The ID of the group to which the member should be added. If you leave this field empty, it uses $result.group_id$ by default and triggers the alert for value of group_id obtained from the search query.
Member ID Required. The ID of the member to be added to the group. If you leave this field empty, it uses $result.member_id$ by default and triggers the alert for value of member_id obtained from the search query.