The rule is used to process the list of Active and Resolved Incidents for the Subscription via Microsoft 365 API, and to generate or update corresponding Alerts in the Operations Manager.
The rule calls Microsoft 365 Management API to get the list of incidents for the Subscription.
An incident (and the corresponding alert) is considered to be active and displayed in Active Incidents list if any of the affected services has one of the following states:
Information Unavailable
Investigating
Service Interruption
Service Degradation
Restoring Service
Extended Recovery
If all affected services for the incident are in other states, then the incident (and the alert) is considered to be resolved.
The rule generates an Alert targeted to the Subscription in the Operations Manager for each Active or Resolved Incident.
Alerts are suppressed by means of a unique Incident ID. The rule updates Alert payload and context if data provided by API for Incident changes.
Use 'Include Resolved Incidents' and 'Reopen Closed Alerts' to customize the rule behavior.
See the list of Active and Resolved Incidents in Microsoft 365 Admin Center
An error state is caused by having issues with connecting to Microsoft 365 API EndPoint. It can be caused by the following:
Issues with global connection to Microsoft 365 API EndPoint.
Credentials for Microsoft 365 Subscriptions account are not correct.
Microsoft 365 Subscriptions account is not allowed to get data from Microsoft 365 EndPoint API.
Resolution depends on the specific error. Verify and/or fix the following:
Connectivity to Microsoft 365 API, including firewall and proxy settings.
Credentials for Microsoft 365 subscription may need to be changed or updated.
Update permissions for the Microsoft 365 API subscription.
Target | Microsoft.SystemCenter.M365.Subscription | ||
Category | Alert | ||
Enabled | False | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
|
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.SystemCenter.M365.DataSource.IncidentAlerts | Default |
Detection | ConditionDetection | System.ExpressionFilter | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.SystemCenter.M365.Rules.IncidentsAlertingRule" Enabled="false" Target="Microsoft.SystemCenter.M365.Subscription" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Alert</Category>
<DataSources>
<DataSource ID="DS" TypeID="Microsoft.SystemCenter.M365.DataSource.IncidentAlerts">
<TimeoutSeconds>300</TimeoutSeconds>
<IntervalSeconds>900</IntervalSeconds>
<SyncTime/>
<SubscriptionId>$Target/Property[Type="Microsoft.SystemCenter.M365.Subscription"]/SubscriptionId$</SubscriptionId>
<IncludeResolvedIncidents>false</IncludeResolvedIncidents>
<ReopenClosedAlerts>false</ReopenClosedAlerts>
<AuthorityUrl>$Target/Property[Type="Microsoft.SystemCenter.M365.Subscription"]/AuthorityUri$</AuthorityUrl>
<MicrosoftGraphUrl>$Target/Property[Type="Microsoft.SystemCenter.M365.Subscription"]/ManagementServiceUri$</MicrosoftGraphUrl>
<TenantId>$Target/Property[Type="Microsoft.SystemCenter.M365.Subscription"]/TenantId$</TenantId>
</DataSource>
</DataSources>
<ConditionDetection ID="Detection" TypeID="System!System.ExpressionFilter">
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='EventType']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Incident</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</ConditionDetection>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.SystemCenter.M365.Incident.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/Property[@Name='Title']$</AlertParameter1>
<AlertParameter2>$Data/Property[@Name='IncidentStatus']$</AlertParameter2>
<AlertParameter3>$Data/Property[@Name='ServicesAffected']$</AlertParameter3>
<AlertParameter4>$Data/Property[@Name='IncidentState']$</AlertParameter4>
<AlertParameter5>$Data/Property[@Name='IncidentId']$</AlertParameter5>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/Property[@Name='IncidentId']$</SuppressionValue>
</Suppression>
<Custom1>$Data/Property[@Name='EventType']$</Custom1>
<Custom2>$Data/Property[@Name='IncidentState']$</Custom2>
<Custom3>$Data/Property[@Name='IncidentStatus']$</Custom3>
<Custom4>$Data/Property[@Name='IncidentId']$</Custom4>
</WriteAction>
</WriteActions>
</Rule>