Microsoft 365 Incidents alerting rule

Microsoft.SystemCenter.M365.Rules.IncidentsAlertingRule (Rule)

The rule is used to process the list of Active and Resolved Incidents for the Subscription via Microsoft 365 API, and to generate or update corresponding Alerts in the Operations Manager.

Knowledge Base article:

Summary

The rule calls Microsoft 365 Management API to get the list of incidents for the Subscription.

An incident (and the corresponding alert) is considered to be active and displayed in Active Incidents list if any of the affected services has one of the following states:

Information Unavailable
Investigating
Service Interruption
Service Degradation
Restoring Service
Extended Recovery

If all affected services for the incident are in other states, then the incident (and the alert) is considered to be resolved.

The rule generates an Alert targeted to the Subscription in the Operations Manager for each Active or Resolved Incident.

Alerts are suppressed by means of a unique Incident ID. The rule updates Alert payload and context if data provided by API for Incident changes.

Use 'Include Resolved Incidents' and 'Reopen Closed Alerts' to customize the rule behavior.

See the list of Active and Resolved Incidents in Microsoft 365 Admin Center

Causes

An error state is caused by having issues with connecting to Microsoft 365 API EndPoint. It can be caused by the following:

Issues with global connection to Microsoft 365 API EndPoint.
Credentials for Microsoft 365 Subscriptions account are not correct.
Microsoft 365 Subscriptions account is not allowed to get data from Microsoft 365 EndPoint API.

Resolutions

Resolution depends on the specific error. Verify and/or fix the following:

Connectivity to Microsoft 365 API, including firewall and proxy settings.
Credentials for Microsoft 365 subscription may need to be changed or updated.
Update permissions for the Microsoft 365 API subscription.

Element properties:

Target

Microsoft.SystemCenter.M365.Subscription

Category

Alert

Enabled

False

Alert Generate

True

Alert Severity

Error

Alert Priority

Normal

Remotable

True

Alert Message

Microsoft 365 Incident

{3} Incident {4} {0}: {1} for {2}

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.SystemCenter.M365.DataSource.IncidentAlerts	Default
Detection	ConditionDetection	System.ExpressionFilter	Default
Alert	WriteAction	System.Health.GenerateAlert	Default

Source Code:

<Rule ID="Microsoft.SystemCenter.M365.Rules.IncidentsAlertingRule" Enabled="false" Target="Microsoft.SystemCenter.M365.Subscription" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Microsoft.SystemCenter.M365.DataSource.IncidentAlerts">

      <TimeoutSeconds>300</TimeoutSeconds>

      <IntervalSeconds>900</IntervalSeconds>

      <SyncTime/>

      <SubscriptionId>$Target/Property[Type="Microsoft.SystemCenter.M365.Subscription"]/SubscriptionId$</SubscriptionId>

      <IncludeResolvedIncidents>false</IncludeResolvedIncidents>

      <ReopenClosedAlerts>false</ReopenClosedAlerts>

      <AuthorityUrl>$Target/Property[Type="Microsoft.SystemCenter.M365.Subscription"]/AuthorityUri$</AuthorityUrl>

      <MicrosoftGraphUrl>$Target/Property[Type="Microsoft.SystemCenter.M365.Subscription"]/ManagementServiceUri$</MicrosoftGraphUrl>

      <TenantId>$Target/Property[Type="Microsoft.SystemCenter.M365.Subscription"]/TenantId$</TenantId>

    </DataSource>

  </DataSources>

  <ConditionDetection ID="Detection" TypeID="System!System.ExpressionFilter">

    <Expression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="String">Property[@Name='EventType']</XPathQuery>

        </ValueExpression>

        <Operator>Equal</Operator>

        <ValueExpression>

          <Value Type="String">Incident</Value>

        </ValueExpression>

      </SimpleExpression>

    </Expression>

  </ConditionDetection>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertOwner/>

      <AlertMessageId>$MPElement[Name="Microsoft.SystemCenter.M365.Incident.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/Property[@Name='Title']$</AlertParameter1>

        <AlertParameter2>$Data/Property[@Name='IncidentStatus']$</AlertParameter2>

        <AlertParameter3>$Data/Property[@Name='ServicesAffected']$</AlertParameter3>

        <AlertParameter4>$Data/Property[@Name='IncidentState']$</AlertParameter4>

        <AlertParameter5>$Data/Property[@Name='IncidentId']$</AlertParameter5>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/Property[@Name='IncidentId']$</SuppressionValue>

      </Suppression>

      <Custom1>$Data/Property[@Name='EventType']$</Custom1>

      <Custom2>$Data/Property[@Name='IncidentState']$</Custom2>

      <Custom3>$Data/Property[@Name='IncidentStatus']$</Custom3>

      <Custom4>$Data/Property[@Name='IncidentId']$</Custom4>

    </WriteAction>

  </WriteActions>

</Rule>