Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
KQL Query to retrieve all Azure AD sign-ins that failed a Conditional Access policy in Report-Only mode
// Get Sign-in logs for any Report-Only Conditional Access policies where the result = ReportOnlyFailure
SigninLogs
| mvexpand ConditionalAccessPolicies
| where ConditionalAccessPolicies["result"] == "reportOnlyFailure"
| project TimeGenerated, Identity, UserPrincipalName, AzureADApplication = AppDisplayName, ClientApplication = ClientAppUsed, ClientBrowser = DeviceDetail.browser, ClientOperatingSystem = DeviceDetail.operatingSystem, ClientIPAddress = IPAddress , ClientUserAgent = UserAgent , ConditionalAccessPolicyName = ConditionalAccessPolicies["displayName"], ConditionalAccessPolicyID = ConditionalAccessPolicies["id"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.