Forum Discussion
StefanKi
Oct 31, 2024Iron Contributor
Report conditional access policies and sign in logs
I would like to create a PowerShell report about the relation between sign in logs and the conditional access policies. For me it is important to see the effects of the conditional access policies (in reporting mode) on the user signs. Thank you for your support
- Why not just use the Conditional Access workbook? https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-insights-reporting
- StefanKiIron ContributorThe customer can not use Azure Log Analytic Workspace.
- Well, you can filter the Entra sign-in logs per specific CA policy, something like this:
GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$top=1&$filter=appliedConditionalAccessPolicies/any(c:c/id eq '04fec5ff-fa7e-45e9-bf5e-45a976624422' and c/result eq 'success')
If the policy is in report mode, you have to filter by reportOnlySuccess and also add the Prefer: include-unknown-enum-members header as per: https://learn.microsoft.com/en-us/graph/api/resources/appliedconditionalaccesspolicy?view=graph-rest-1.0