Forum Discussion

Grzegorz Wierzbicki's avatar
Grzegorz Wierzbicki
Brass Contributor
Apr 18, 2019

Find events where access was blocked by specific condional access policy

Hi In Azure Sentinel, I need to find events where access to a resource was blocked by specific conditional access policy. Can anyone help with the query ?
azure monitor
microsoft sentinel
CliveWatson's avatar
CliveWatson
Icon for Microsoft rankMicrosoft
Apr 18, 2019

Grzegorz Wierzbicki 

 

let policyname = "MCAS";  // some text that matches the policy name
SigninLogs
| where ConditionalAccessPolicies has policyname
| where ConditionalAccessStatus == "success"
| project AppliedConditionalAccessPolicies

Maybe start to look for the policy name...

Grzegorz Wierzbicki's avatar
Grzegorz Wierzbicki
Brass Contributor
May 06, 2019

This is not it.

ConditionalAccessPolicies is an array of all the policies found in the tenant.

Each policy can have a status of success, notApplied or notEnabled (possibly more?)

In PowerShell this would be a no-brainer.

$policyid = <guid>

$ConditionalAccessPolicies | ?{$_.id -eq $policyid -AND $_.result -eq "success"}

 

I just don't know how do that in this query language...

  • CliveWatson's avatar
    CliveWatson
    Icon for Microsoft rankMicrosoft
    May 09, 2019

    Grzegorz Wierzbicki 

     

    More like

    SigninLogs
| where tostring(ConditionalAccessPolicies.[0].displayName) !=""
| summarize count() by //TimeGenerated,
                        CAPolicyName = tostring(ConditionalAccessPolicies.[0].displayName),                                            ConditionalAccessStatus

     

    Filter on 'success' with 

     

    SigninLogs
| where tostring(ConditionalAccessPolicies.[0].displayName) !=""
| where ConditionalAccessStatus == "success"
| summarize count() by //TimeGenerated,
                        CAPolicyName = tostring(ConditionalAccessPolicies.[0].displayName),                                            ConditionalAccessStatus
    • Grzegorz Wierzbicki's avatar
      Grzegorz Wierzbicki
      Brass Contributor
      May 09, 2019

      CliveWatson 

      Thank you for trying :)

       

      This will not work.

      In your example you are only checking the first policy from the array (with index [0]).

      I don't know at which position in the array my policy is.

      I can find out by checking the logs (today it is 27) but that position can change as older policies are removed from the tenant.

      Query must be based on specific policy ID

      • CliveWatson's avatar
        CliveWatson
        Icon for Microsoft rankMicrosoft
        May 09, 2019

        Grzegorz Wierzbicki 

         

        I only have the one policy, so always [0] :-(

         

        However I think (not tested) mvexpand might help here, this might do multiple array positions

         

        SigninLogs
| extend PropertiesJSON = parse_json(ConditionalAccessPolicies)
| extend CAPoliciesJson = parse_json(tostring(PropertiesJSON)) 
| mvexpand CAPoliciesJson
//| project CAPoliciesJson .displayName
| where CAPoliciesJson.displayName !=""
| summarize count() by //TimeGenerated,
                        CAPolicyName = tostring(CAPoliciesJson.displayName) ,
                        tostring(CAPoliciesJson.result),
                        tostring(CAPoliciesJson.id)

         

Resources