Home

Conditional Access Reporting

%3CLINGO-SUB%20id%3D%22lingo-sub-176972%22%20slang%3D%22en-US%22%3EConditional%20Access%20Reporting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-176972%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20currently%20evaluating%20azure%20ad%20conditional%20access%20as%20well%20as%20identity%20protection.%20We%20have%20a%20few%20temporal%20instances%20where%20a%20user%20will%20receive%20the%20message%20%22Your%20sign-in%20was%20successful%20but%20does%20meet%20the%20criteria%20to%20access%20the%20resource%22.%20We%20believe%20this%20is%20invoked%20by%20conditional%20access%20but%20the%20instances%20are%20false%20positives%20as%20the%20users%20are%20usually%20within%20a%20trusted%20ip%20location%20(or%20a%20location%20where%20conditional%20access%20should%20not%20trigger).%20We%20are%20attempting%20to%20determine%20the%20best%20way%20to%20research.%20The%20cloudapp%20security%20portal%20is%20great%2C%20but%20there%20is%20no%20where%20in%20the%20logs%20that%20references%20why%20the%20policy%20would%20apply.%20The%20logins%20show%20as%20successful%20with%20no%20policy%20applied.%20For%20example%2C%20the%20user%20below%20received%20the%20conditional%20access%20message%20during%20this%20login.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.screencast.com%2Ft%2FAPnNk1Q7%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.screencast.com%2Ft%2FAPnNk1Q7%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EThere%20is%20no%20indication%20of%20why.%20Is%20there%20a%20better%20place%20to%20research%20conditional%20access%20false%20positives%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-176972%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-198620%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Reporting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-198620%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20James%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20am%20not%20too%20late%20to%20reply%20on%20this%20post%2C%20please%20check%20that%20what%20if%20tool%20introduced%20to%20check%20which%20all%20policy%20will%20be%20applied%20when%20a%20user%20will%20try%20to%20login.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-whatif%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-whatif%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIgnore%20if%20duplicate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ERishabh%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-184366%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Reporting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-184366%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20case%20anyone%20else%20comes%20across%20this.%20I%20spoke%20with%20the%20Azure%20team%2C%20this%20reporting%26nbsp%3Bcan%20only%20be%20accessed%20by%20them%26nbsp%3Bfor%20the%20time%20being%20(in%20a%20fairly%20unreadable%20format).%20The%20reporting%20is%20supposed%20to%20come%20out%20soon%20for%20end%20users.%20She%20did%20tell%20me%20that%20if%20there%20is%20one%20un-configured%20item%20in%20the%20conditional%20access%20policy%2C%20a%20false%20positive%20might%20be%20triggered%2C%20so%20configure%20all%20of%20them%20(devices%2C%20locations%2C%20apps%2C%20users).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

We are currently evaluating azure ad conditional access as well as identity protection. We have a few temporal instances where a user will receive the message "Your sign-in was successful but does meet the criteria to access the resource". We believe this is invoked by conditional access but the instances are false positives as the users are usually within a trusted ip location (or a location where conditional access should not trigger). We are attempting to determine the best way to research. The cloudapp security portal is great, but there is no where in the logs that references why the policy would apply. The logins show as successful with no policy applied. For example, the user below received the conditional access message during this login.

https://www.screencast.com/t/APnNk1Q7

There is no indication of why. Is there a better place to research conditional access false positives?

 

2 Replies

In case anyone else comes across this. I spoke with the Azure team, this reporting can only be accessed by them for the time being (in a fairly unreadable format). The reporting is supposed to come out soon for end users. She did tell me that if there is one un-configured item in the conditional access policy, a false positive might be triggered, so configure all of them (devices, locations, apps, users).

Hello James,

 

If I am not too late to reply on this post, please check that what if tool introduced to check which all policy will be applied when a user will try to login.

 

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-whatif

 

Ignore if duplicate.

 

Regards,

Rishabh