Share via

Way to get PIM notifications to event hub

Abed Elheyb 85 Reputation points
2026-01-30T06:46:37.04+00:00

I am looking for solution to get real-time PIM notifications to event hub instead of email notifications how can I do that? I want to trigger the function app event trigger when receive a message on event hub.

Azure Event Hubs
Answer accepted by question author
  1. Pravallika KV 12,820 Reputation points Microsoft External Staff Moderator
    2026-01-30T08:04:29.17+00:00

    Hi @Abed Elheyb ,

    Thanks for reaching out to Microsoft Q&A.

    To send real-time PIM notifications to Azure Event Hub, you can leverage Microsoft Entra ID diagnostic settings and stream PIM audit logs directly to Event Hub. This allows you to trigger a Function App using an Event Hub trigger whenever a PIM event occurs.

    Steps to configure PIM events to Event Hub:

    • Navigate to Microsoft Entra ID in the Azure portal.
    • Select Diagnostic settings and click + Add diagnostic setting.
    • Select AuditLogs (which contains PIM activity).
    • Check Stream to an event hub.
    • Select the Event Hub namespace, policy, and specific Event Hub.

    Triggering a Function App:

    Once configured, every PIM-related audit event is streamed to Event Hub in near real time. You can then:

    • Create an Azure Function App
    • Use an Event Hub trigger
    • Process PIM events programmatically (alerts, automation, integrations, etc.)

    Sample Azure Function code that triggers when a message is received from Event Hub and filters PIM-specific events.

    public class Function1
{
    private readonly ILogger<Function1> _logger;
    public Function1(ILogger<Function1> logger)
    {
        _logger = logger;
    }
    [Function(nameof(Function1))]
    public void Run(
        [EventHubTrigger(
            "samples-workitems",
            Connection = "EventHubConnection")]
        EventData[] events)
    {
        foreach (EventData eventData in events)
        {
            try
            {
                var messageBody = Encoding.UTF8.GetString(eventData.Body.ToArray());
                _logger.LogInformation("Raw Event Hub Message: {message}", messageBody);
                var json = JObject.Parse(messageBody);
                var records = json["records"];
                if (records == null)
                    continue;
                foreach (var record in records)
                {
                    if (record["loggedByService"]?.ToString() == "PIM")
                    {
                        var activity = record["activityDisplayName"]?.ToString();
                        var operation = record["operationName"]?.ToString();
                        var user = record["initiatedBy"]?["user"]?["userPrincipalName"]?.ToString();
                        var role = record["targetResources"]?[0]?["displayName"]?.ToString();
                        _logger.LogInformation("PIM Event Detected");
                        _logger.LogInformation("User: {user}", user);
                        _logger.LogInformation("Role: {role}", role);
                        _logger.LogInformation("Activity: {activity}", activity);
                        _logger.LogInformation("Operation: {operation}", operation);
                    }
                }
            }
            catch (Exception ex)
            {
                _logger.LogError(ex, "Error processing Event Hub message");
            }
        }
    }
}

    Hope this helps!

    If the resolution was helpful, kindly take a moment to click on 210246-screenshot-2021-12-10-121802.pngand click on Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.