We are currently evaluating azure ad conditional access as well as identity protection. We have a few temporal instances where a user will receive the message "Your sign-in was successful but does meet the criteria to access the resource". We believe this is invoked by conditional access but the instances are false positives as the users are usually within a trusted ip location (or a location where conditional access should not trigger). We are attempting to determine the best way to research. The cloudapp security portal is great, but there is no where in the logs that references why the policy would apply. The logins show as successful with no policy applied. For example, the user below received the conditional access message during this login.
In case anyone else comes across this. I spoke with the Azure team, this reporting can only be accessed by them for the time being (in a fairly unreadable format). The reporting is supposed to come out soon for end users. She did tell me that if there is one un-configured item in the conditional access policy, a false positive might be triggered, so configure all of them (devices, locations, apps, users).