Find events where access was blocked by specific condional access policy

Question

HiIn Azure Sentinel, I need to find events where access to a resource was blocked by specific conditional access policy.Can anyone help with the query ?

grzegorz wierzbicki · Answer

PhilQuiet&nbsp;This works, thankyou very much.mvexpand is the key I was missing.

clivewatson · Answer

Grzegorz Wierzbicki&nbsp;
&nbsp;
let policyname = "MCAS";  // some text that matches the policy name
SigninLogs
| where ConditionalAccessPolicies has policyname
| where ConditionalAccessStatus == "success"
| project AppliedConditionalAccessPolicies 
Maybe start to look for the policy name...

grzegorz wierzbicki · Answer

This is not it.ConditionalAccessPolicies is an array of all the policies found in the tenant.Each policy can have a status of success, notApplied or notEnabled (possibly more?)In PowerShell this would be a no-brainer.$policyid = &lt;guid&gt;$ConditionalAccessPolicies | ?{$_.id -eq $policyid -AND $_.result -eq "success"}&nbsp;I just don't know how do that in this query language...

clivewatson · Answer

Grzegorz Wierzbicki&nbsp;
&nbsp;
More like
SigninLogs
| where tostring(ConditionalAccessPolicies.[0].displayName) !=""
| summarize count() by //TimeGenerated,
                        CAPolicyName = tostring(ConditionalAccessPolicies.[0].displayName),                                            ConditionalAccessStatus

&nbsp;
Filter on 'success' with&nbsp;
&nbsp;
SigninLogs
| where tostring(ConditionalAccessPolicies.[0].displayName) !=""
| where ConditionalAccessStatus == "success"
| summarize count() by //TimeGenerated,
                        CAPolicyName = tostring(ConditionalAccessPolicies.[0].displayName),                                            ConditionalAccessStatus

grzegorz wierzbicki · Answer

CliveWatson&nbsp;Thank you for trying :)&nbsp;This will not work.In your example you are only checking the first policy from the array (with index [0]).I don't know at which position in the array my policy is.I can find out by checking the logs (today it is 27) but that position can change as older policies are removed from the tenant.Query must be based on specific policy ID

Forum Discussion

Find events where access was blocked by specific condional access policy

Share

Resources