Azure fraud detection and notification

Appropriate roles: Admin agent

As a partner in the Cloud Solution Provider program, you're responsible for your customer's Azure consumption, so it's important that you're aware of any potential cryptocurrency mining activities in your customers' Azure subscriptions.

Awareness enables you to take immediate action to determine whether the behavior is legitimate or fraudulent. If necessary, you can suspend affected Azure resources or Azure subscriptions to mitigate an issue.


Required action: To receive Azure fraud notifications, you must first subscribe to them.

What to do when you receive a fraud notification

The following checklist provides suggested next steps for what to do if you get a fraud notification.

  • To get a list of Azure resources that have fraudulent activities, see Get fraud events.
  • Review any Azure subscriptions, and if they're legitimate, call the API to update the status correctly. For more information, see Update fraud event status.
  • Review any other Azure resources or services that may have been unexpectedly provisioned in the last week. Suspend any suspicious Azure resources or Azure subscriptions.
  • As a precaution, we highly recommend that all Global admins in your customer's tenant immediately change their passwords if they haven't done so already.
  • Review and verify all global admin user password recovery emails and phone numbers within Azure Active Directory. Update them if necessary.
  • Follow the Partner Center security requirements to enable multi-factor authentication for all users in your CSP partner tenant.
  • Review which users, tenants, and subscriptions are at risk within the Azure portal.

Refer to the Cloud Solution Provider security best practices to mitigate any potential security risk within your CSP partner account.

How to get fraud notifications

You can subscribe to various partner notifications based on your role. Fraud events alerts notify you when your customer's Azure subscription shows possible crypto-mining activity in a 30-day period.

To configure fraud events notifications:

  1. Sign in to the Partner Center dashboard.
  2. Select the Settings gear icon, then select My preferences.
  3. Configure a preferred email address if you haven't already done so.
  4. Configure the preferred language for the notification if you haven't already done so.
  5. Select Security under Notification preferences.
  6. Select the Fraud events alerts.
  7. Select the Fraud events daily summary option to receive a daily summary of unresolved fraud events in your CSP tenant.
  8. Select Save.

Next steps

Integrate with Azure fraud events API.