Conditional Access "Monitoring" only shows admins in Activity Log

%3CLINGO-SUB%20id%3D%22lingo-sub-1746895%22%20slang%3D%22en-US%22%3EConditional%20Access%20%22Monitoring%22%20only%20shows%20admins%20in%20Activity%20Log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1746895%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20monitoring%20set%20up%20with%20Conditional%20Access%20App%20Control.%20I%20have%20onboarded%20a%20handful%20of%20applications%20including%20Office%20365%20and%20I%20can%20see%20that%20my%20Conditional%20Access%20App%20Control%20Apps%20are%20connected.%20I%20have%20applied%20a%20policy%20to%20monitor%20all%20users.%20When%20I%20check%20the%20Activity%20Log%20tab%20I%20only%20see%20users%20who%20have%20a%20security%20role%20listed%20with%20logged%20activity.%20I%20see%20people%20that%20are%20Global%20Admins%2C%20Global%20Readers%2C%20Security%20Admins%20but%20not%20regular%20users%20logged%20in%20the%20Activity%20Log%20tab.%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20the%20behavior%20expected%3F%20Am%20I%20missing%20the%20point%20of%20monitoring%20the%20applications%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1746895%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1750991%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20%22Monitoring%22%20only%20shows%20admins%20in%20Activity%20Log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1750991%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F94636%22%20target%3D%22_blank%22%3E%40Paul%20Brock%3C%2FA%3E!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3EDo%20you%20mind%20providing%20a%20couple%20screenshots%20of%20your%20AAD%20CA%20Policy%20and%20MCAS%20CAAC%20Policy%3F%20This%20isn't%20typical%20behavior%20and%20should%20monitor%20all%20users%20for%20that%20application.%20Is%20your%20AAD%20CA%20policy%20scoped%20to%20a%20specific%20group%20of%20admins%3F%20Also%2C%20is%20your%20MCAS%20deployment%20scoped%20for%20Admins%20for%20that%20specific%20app%20under%20Settings%20-%26gt%3B%20Scoped%20Deployment%3F%20Lastly%2C%20do%20you%20have%20activity%20privacy%20implemented%3F%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3EThank%20you!%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1751562%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20%22Monitoring%22%20only%20shows%20admins%20in%20Activity%20Log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1751562%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F708110%22%20target%3D%22_blank%22%3E%40sarahzin%3C%2FA%3E%26nbsp%3BThank%20you%20so%20much.%20It%20was%20scoped%20by%20accident.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

We have monitoring set up with Conditional Access App Control. I have onboarded a handful of applications including Office 365 and I can see that my Conditional Access App Control Apps are connected. I have applied a policy to monitor all users. When I check the Activity Log tab I only see users who have a security role listed with logged activity. I see people that are Global Admins, Global Readers, Security Admins but not regular users logged in the Activity Log tab. 

Is the behavior expected? Am I missing the point of monitoring the applications?

2 Replies

Hi @Paul Brock!

 

Do you mind providing a couple screenshots of your AAD CA Policy and MCAS CAAC Policy? This isn't typical behavior and should monitor all users for that application. Is your AAD CA policy scoped to a specific group of admins? Also, is your MCAS deployment scoped for Admins for that specific app under Settings -> Scoped Deployment? Lastly, do you have activity privacy implemented?
 
Thank you!

@Sarahzin Thank you so much. It was scoped by accident.