Find events where access was blocked by specific condional access policy

Hi In Azure Sentinel, I need to find events where access to a resource was blocked by specific conditional access policy. Can anyone help with the query ?

azure monitor

microsoft sentinel

PhilQuiet

Copper Contributor

May 05, 2020

Grzegorz Wierzbicki

I know this question is over a year old but I want to answer with what I did in Log Analytics for someone else searching like I was, your where clauses will of course be different, mine was looking for legacy auth requests blocked by a particular policy:

SigninLogs
| where TimeGenerated >= ago(24h)
| where ClientAppUsed !in ("Browser","Mobile Apps and Desktop Clients","")
| mvexpand PolicyResults = ConditionalAccessPolicies
| where PolicyResults.id == "<Policy ID/GUID>" and PolicyResults.result != "reportOnlyNotApplied"
| project UserPrincipalName, ClientAppUser, tostring(PolicyResults.result), TimeGenerated

It's lines 4 and 5 that you need. Hope it helps someone

Grzegorz Wierzbicki
Brass Contributor
Jun 05, 2020
PhilQuiet
This works, thankyou very much.
mvexpand is the key I was missing.

Forum Discussion

Find events where access was blocked by specific condional access policy

Share

Resources