Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1000148%22%20slang%3D%22en-US%22%3EIntroducing%20Report-only%20mode%20for%20Conditional%20Access%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1000148%22%20slang%3D%22en-US%22%3E%3CP%3EHowdy%20folks!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20had%20such%20an%20awesome%20time%20at%20Ignite%20last%20week!%20It%20was%20great%20to%20meet%20with%20so%20many%20customers%20and%20we%20learned%20so%20much.%20And%20we%20were%20blown%20away%20by%20the%20level%20of%20excitement%20customers%20expressed%20for%20the%20new%20capabilities%20we%20announced.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20know%20many%20of%20you%20weren%E2%80%99t%20able%20to%20attend%20in%20person.%20Over%20the%20next%20two%20weeks%20we%E2%80%99re%20going%20to%20post%20more%20detailed%20blogs%20on%20the%20new%20capabilities%20we%20announced%E2%80%94so%20you%20can%20join%20in%20that%20excitement%20with%20us!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20kick%20things%20off%2C%20I%E2%80%99d%20like%20to%20start%20with%20one%20of%20our%20most%20highly%20requested%20features%2C%20the%20public%20preview%20of%20Report-only%20mode!%20Customers%20tell%20us%20they%20love%20Conditional%20Access%20because%20they%20can%20apply%20the%20right%20controls%20in%20the%20right%20circumstances.%20But%20the%20big%20challenge%20with%20deploying%20Conditional%20Access%20is%20figuring%20out%20how%20many%20users%20will%20be%20impacted%20by%20a%20policy.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EReport-only%20mode%20is%20a%20new%20capability%20that%20allows%20admins%20to%20evaluate%20Conditional%20Access%20policies%20without%20enforcing%20the%20grant%20or%20session%20controls.%20During%20sign-in%2C%20policies%20in%20Report-only%20mode%20are%20evaluated%20but%20not%20enforced%2C%20and%20the%20sign-in%20logs%20record%20the%20expected%20result.%20Additionally%2C%20customers%20with%20an%20Azure%20Monitor%20subscription%20can%20monitor%20the%20impact%20of%20their%20Conditional%20Access%20policies%20using%20the%20new%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fhowto-use-azure-monitor-workbooks%23conditional-access-insights%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConditional%20Access%20Insights%20workbook%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%E2%80%99m%20excited%20to%20make%20it%20easier%20for%20IT%20admins%20to%20understand%20the%20impact%20of%20Conditional%20Access%20%3CEM%3Ebefore%20%3C%2FEM%3Epotentially%20impacting%20users%20in%20their%20environments.%20Here%E2%80%99s%20what%20one%20of%20our%20early%20adopters%20had%20to%20say%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%E2%80%9CWe%20have%20used%20the%20early%20release%20of%20Report-only%20mode%20for%20Conditional%20Access%20for%20several%20months.%20It%20has%20been%20invaluable%20to%20enable%20an%20improved%20application%20and%20system%20security%20posture%20with%20greater%20agility%20and%20confidence.%20This%20feature%20allows%20us%20to%20implement%20security%20controls%20much%20quicker%20and%20reduce%20the%20likelihood%20rolling%20back%20a%20policy.%20I%20highly%20recommend%20customers%20evaluate%20utilizing%20this%20capability%3C%2FEM%3E.%E2%80%9D%3CSTRONG%3E%20%E2%80%94%3C%2FSTRONG%3ERobert%20Bowen%20Identity%20and%20Access%20Management%20Practice%20Leader%20for%20NCR%20Corporation%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDaniel%20Wood%2C%20program%20manager%20for%20the%20feature%2C%20wrote%20a%20guest%20blog%20post%20to%20explain%20the%20details.%20As%20always%2C%20we%E2%80%99re%20curious%20to%20hear%20your%20feedback.%20Shoot%20an%20email%20to%20%3CA%20href%3D%22mailto%3Areportonlymode%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ereportonlymode%40microsoft.com%3C%2FA%3E%20with%20your%20thoughts%20or%20leave%20a%20comment%20below%E2%80%94we%20look%20forward%20to%20hearing%20from%20you!%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlex%20Simons%20(%40Alex_A_Simons%26nbsp%3B)%3C%2FP%3E%0A%3CP%3ECorporate%20VP%20of%20Program%20Management%3C%2FP%3E%0A%3CP%3EMicrosoft%20Identity%20Division%26nbsp%3B%3C%2FP%3E%0A%3CP%3E___________________________________________________________________________________________%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20there!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%E2%80%99m%20excited%20to%20announce%20the%20release%20of%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fconcept-conditional-access-report-only%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EReport-only%20mode%3C%2FA%3E%20in%20public%20preview.%20Here%20is%20an%20overview%20of%20the%20feature.%20For%20detailed%20steps%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-report-only%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConfigure%20a%20Conditional%20Access%20policy%20in%20report-only%20mode%20(Preview)%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1052921527%22%20id%3D%22toc-hId-1052921527%22%3EEnable%20a%20Conditional%20Access%20policy%20in%20Report-only%20mode%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EReport-only%20mode%20is%20enabled%20under%20the%20Conditional%20Access%20blade.%20Simply%20click%20%3CSTRONG%3E%2B%20New%20Policy%3C%2FSTRONG%3E%2C%20or%20edit%20an%20existing%20policy%2C%20and%20then%20toggle%20to%20the%20new%20%3CSTRONG%3EReport-only%3C%2FSTRONG%3E%20state!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F156195i04B0FE48CEA8CA65%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--754532936%22%20id%3D%22toc-hId--754532936%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-1732979897%22%20id%3D%22toc-hId-1732979897%22%3EUse%20the%20Conditional%20Access%20Insights%20Workbook%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20monitor%20the%20overall%20impact%20of%20Conditional%20Access%20policies%20in%20your%20tenant%2C%20we%20published%20a%20powerful%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fhowto-use-azure-monitor-workbooks%23conditional-access-insights%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConditional%20Access%20Insights%20workbook%3C%2FA%3E%20through%20Azure%20Monitor.%20Access%20the%20workbook%20by%20clicking%20%3CSTRONG%3EWorkbooks%20%3C%2FSTRONG%3Eand%20then%20%3CSTRONG%3EConditional%20Access%20Insights%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20integrate%20Azure%20Monitor%20with%20Azure%20AD%20simply%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ESign%20up%20for%20an%20Azure%20Monitor%20subscription%20and%20create%20a%20workspace%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flearn%2Fquick-create-workspace%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Etutorial%3C%2FA%3E).%3C%2FLI%3E%0A%3CLI%3EExport%20the%20Sign-in%20logs%20from%20Azure%20AD%20to%20Azure%20Monitor%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fhowto-integrate-activity-logs-with-log-analytics%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Etutorial%3C%2FA%3E).%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EWith%20the%20Conditional%20Access%20Insights%20workbook%2C%20you%20can%20view%20how%20many%20users%20and%20sign-ins%20are%20impacted%20by%20a%20set%20of%20Conditional%20Access%20policies.%20Set%20the%20parameters%20and%20the%20workbook%20will%20load%20automatically.%20Want%20to%20isolate%20the%20impact%20of%20just%20a%20few%20policies%3F%20Just%20select%20the%20ones%20you%20want%20in%20the%20Conditional%20Access%20policy%20drop-down.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F156194i82543E4C1D75F711%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ETo%20dig%20into%20your%20sign-in%20data%20further%2C%20you%20can%20edit%20the%20workbook%20to%20refine%20queries%20just%20for%20your%20organization.%20At%20the%20top%20of%20the%20workbook%2C%20click%20Edit%20to%20expose%20the%20underlying%20queries.%20Saving%20the%20workbook%20will%20create%20a%20new%20copy.%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--74474566%22%20id%3D%22toc-hId--74474566%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--1881929029%22%20id%3D%22toc-hId--1881929029%22%3EView%20Report-only%20result%20in%20Azure%20AD%20Sign-in%20logs%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20the%20policy%20is%20created%20in%20Report-only%20mode%2C%20it%20is%20evaluated%20during%20sign-in.%20From%20the%20%3CSTRONG%3ESign-ins%20%3C%2FSTRONG%3Epage%2C%20click%20a%20sign-in%20to%20see%20which%20Conditional%20Access%20policies%20are%20applied.%20You%20can%20find%20Report-only%20policies%20in%20the%20new%20%3CSTRONG%3EReport-only%3C%2FSTRONG%3E%20tab.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F156196i9F11B579B33CDC24%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22clipboard_image_2.png%22%20title%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20hope%20that%20this%20feature%20helps%20you%20make%20it%20easier%20to%20deploy%20and%20monitor%20Conditional%20Access.%20And%20if%20you%20prefer%20managing%20Conditional%20Access%20through%20the%20new%20API%2C%20Report-only%20functionality%20will%20be%20rolling%20out%20shortly%20as%20well.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20look%20forward%20to%20getting%20your%20feedback%20on%20the%20feature%20as%20we%20prepare%20for%20general%20availability.%20You%20can%20let%20us%20know%20what%20you%20think%20at%20%3CA%20href%3D%22mailto%3Areportonlymode%40microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ereportonlymode%40microsoft.com%3C%2FA%3E%20or%20in%20the%20comments%20below.%3C%2FP%3E%0A%3CP%3EThanks%20for%20reading!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDaniel%20Wood%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2FDaniel_E_Wood%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E(%40Daniel_E_Wood%3C%2FA%3E)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1000148%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20599px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F156213iDDF3029ED286CDA0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22conditional%20access.jpg%22%20title%3D%22conditional%20access.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EReport-only%20mode%20helps%20you%20understand%20the%20impact%20of%20Conditional%20Access%20before%20potentially%20impacting%20users%20in%20your%20environment.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1000148%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

Howdy folks!

 

We had such an awesome time at Ignite last week! It was great to meet with so many customers and we learned so much. And we were blown away by the level of excitement customers expressed for the new capabilities we announced.

 

I know many of you weren’t able to attend in person. Over the next two weeks we’re going to post more detailed blogs on the new capabilities we announced—so you can join in that excitement with us!

 

To kick things off, I’d like to start with one of our most highly requested features, the public preview of Report-only mode! Customers tell us they love Conditional Access because they can apply the right controls in the right circumstances. But the big challenge with deploying Conditional Access is figuring out how many users will be impacted by a policy.

 

Report-only mode is a new capability that allows admins to evaluate Conditional Access policies without enforcing the grant or session controls. During sign-in, policies in Report-only mode are evaluated but not enforced, and the sign-in logs record the expected result. Additionally, customers with an Azure Monitor subscription can monitor the impact of their Conditional Access policies using the new Conditional Access Insights workbook.

 

I’m excited to make it easier for IT admins to understand the impact of Conditional Access before potentially impacting users in their environments. Here’s what one of our early adopters had to say:

 

“We have used the early release of Report-only mode for Conditional Access for several months. It has been invaluable to enable an improved application and system security posture with greater agility and confidence. This feature allows us to implement security controls much quicker and reduce the likelihood rolling back a policy. I highly recommend customers evaluate utilizing this capability.”Robert Bowen Identity and Access Management Practice Leader for NCR Corporation

 

Daniel Wood, program manager for the feature, wrote a guest blog post to explain the details. As always, we’re curious to hear your feedback. Shoot an email to reportonlymode@microsoft.com with your thoughts or leave a comment below—we look forward to hearing from you!

Best regards,

 

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division 

___________________________________________________________________________________________

 

Hi there!

 

I’m excited to announce the release of Report-only mode in public preview. Here is an overview of the feature. For detailed steps, see Configure a Conditional Access policy in report-only mode (Preview).

 

Enable a Conditional Access policy in Report-only mode

 

Report-only mode is enabled under the Conditional Access blade. Simply click + New Policy, or edit an existing policy, and then toggle to the new Report-only state!

 

 

clipboard_image_0.png

 

Use the Conditional Access Insights Workbook

 

To monitor the overall impact of Conditional Access policies in your tenant, we published a powerful Conditional Access Insights workbook through Azure Monitor. Access the workbook by clicking Workbooks and then Conditional Access Insights.

 

To integrate Azure Monitor with Azure AD simply:

 

  1. Sign up for an Azure Monitor subscription and create a workspace (tutorial).
  2. Export the Sign-in logs from Azure AD to Azure Monitor (tutorial).

With the Conditional Access Insights workbook, you can view how many users and sign-ins are impacted by a set of Conditional Access policies. Set the parameters and the workbook will load automatically. Want to isolate the impact of just a few policies? Just select the ones you want in the Conditional Access policy drop-down.

 

clipboard_image_1.png

To dig into your sign-in data further, you can edit the workbook to refine queries just for your organization. At the top of the workbook, click Edit to expose the underlying queries. Saving the workbook will create a new copy.

 

View Report-only result in Azure AD Sign-in logs

 

Once the policy is created in Report-only mode, it is evaluated during sign-in. From the Sign-ins page, click a sign-in to see which Conditional Access policies are applied. You can find Report-only policies in the new Report-only tab.

 

clipboard_image_2.png

 

 

We hope that this feature helps you make it easier to deploy and monitor Conditional Access. And if you prefer managing Conditional Access through the new API, Report-only functionality will be rolling out shortly as well.

 

We look forward to getting your feedback on the feature as we prepare for general availability. You can let us know what you think at reportonlymode@microsoft.com or in the comments below.

Thanks for reading!

 

Daniel Wood (@Daniel_E_Wood)