New in Public Preview: Conditional Access Per-Policy Reporting

By /

Listen to this Post

IAM Admins can now visualize the impact of individual Conditional Access policies directly in the Microsoft Entra Admin Center without relying on Log Analytics or custom queries. This feature simplifies policy assessment, tuning, and enforcement.

Key Features:

🔹 Per-Policy Graphs – View policy impact on past sign-ins.

🔹 Report-Only Evaluation – Test policies before enforcement.

🔹 Multiple Timeframes – Analyze data over 24 hours, 7 days, or 1 month.
🔹 Integrated Logs & Workbooks – Drill into granular sign-in events and customize reports.

Requirements:

  • Entra ID P1 (included in Microsoft 365 Business Premium, Enterprise SKUs, or available standalone).

You Should Know:

1. Checking Conditional Access Policy Impact via PowerShell

 Connect to Microsoft Graph 
Connect-MgGraph -Scopes "Policy.Read.All", "Reports.Read.All"

List all Conditional Access policies 
Get-MgIdentityConditionalAccessPolicy | Select-Object DisplayName, State

Get sign-in logs with policy details (requires Entra ID P1/P2) 
Get-MgAuditLogSignIn -Filter "conditionalAccessPolicies/any(policy: policy/displayName eq 'YourPolicyName')"

2. Enabling Report-Only Mode via Azure CLI

az rest --method PATCH \ 
--url "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/{policyId}" \ 
--headers "Content-Type=application/json" \ 
--body '{"reportOnly": true}'

3. Querying Policy Impact with KQL (Log Analytics)

[kql]
SigninLogs
| where ConditionalAccessPolicies has “YourPolicyName”
| summarize Count=count() by ConditionalAccessStatus
[/kql]

4. Automating Policy Deployment via Terraform

[hcl]
resource “azuread_conditional_access_policy” “block_legacy_auth” {
display_name = “Block Legacy Authentication”
state = “enabledForReportingButNotEnforced”
conditions {
client_app_types = [“exchangeActiveSync”, “other”]
}
grant_controls {
operator = “OR”
built_in_controls = [“block”]
}
}
[/hcl]

What Undercode Say

Conditional Access Per-Policy Reporting is a game-changer for IAM teams, reducing dependency on complex log queries. However, always:
– Test in Report-Only mode before enforcement.
– Monitor outliers with Get-MgAuditLogSignIn.
– Combine with SIEM rules for anomalous sign-ins.

Pro Tip: Use `az monitor activity-log alert` to trigger alerts for policy failures.

Expected Output:

  • Policy impact graphs in Entra Admin Center.
  • PowerShell/KQL outputs for audit logs.
  • Automated policy deployment scripts.

Reference: Microsoft Entra Conditional Access Docs

References:

Reported By: Samehyounis Entraid – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: