Guidance on process and logging


I am after some guidance and information on the process logins take. By this I mean things like is what is evaluated first? If I login, when is conditional access evaluated? When does the login appear in the Azure AD logs. Does this vary depending on the protocol I use, i.e. if I have basic auth off when does a POP request get rejected? I'd like to know what gets evaluated when during the login process.


I'd also like to better understand when something appears in the log. If I have an alert for impossible travel in MCAS say, after that is tripped how long is it before I receive a notification? is there any documentation on how long alerts from different processes take from incident to display?

0 Replies