Skip to content

Instantly share code, notes, and snippets.

@dstreefkerk
Last active March 6, 2024 16:55
Show Gist options
  • Save dstreefkerk/d32a06442ee884a51062cc06f87886e3 to your computer and use it in GitHub Desktop.
Save dstreefkerk/d32a06442ee884a51062cc06f87886e3 to your computer and use it in GitHub Desktop.
KQL Query to retrieve all Azure AD sign-ins that failed a Conditional Access policy in Report-Only mode
// Get Sign-in logs for any Report-Only Conditional Access policies where the result = ReportOnlyFailure
SigninLogs
| mvexpand ConditionalAccessPolicies
| where ConditionalAccessPolicies["result"] == "reportOnlyFailure"
| project TimeGenerated, Identity, UserPrincipalName, AzureADApplication = AppDisplayName, ClientApplication = ClientAppUsed, ClientBrowser = DeviceDetail.browser, ClientOperatingSystem = DeviceDetail.operatingSystem, ClientIPAddress = IPAddress , ClientUserAgent = UserAgent , ConditionalAccessPolicyName = ConditionalAccessPolicies["displayName"], ConditionalAccessPolicyID = ConditionalAccessPolicies["id"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment