# Using KQL to Detect Gaps in your Conditional Access Strategy

By /

Listen to this Post

Conditional Access (CA) is a critical component of modern identity and access management, ensuring that only authorized users can access resources under specific conditions. However, gaps in CA policies can expose organizations to security risks. Kusto Query Language (KQL) can help detect these gaps by analyzing sign-in logs and identifying unprotected access patterns.

You Should Know:

1. Extracting Sign-In Logs with KQL

To analyze Conditional Access gaps, start by querying Azure AD sign-in logs:

[kql]
SigninLogs
| where TimeGenerated > ago(30d)
| where ResultType == “0” // Successful sign-ins
| where ConditionalAccessPolicies == “[]” // No CA policies applied
| project UserPrincipalName, AppDisplayName, IPAddress, DeviceDetail
[/kql]

This query identifies successful sign-ins where no Conditional Access policies were enforced.

### 2. **Identifying Guest User Vulnerabilities**

Guest users often bypass CA policies, creating security gaps. Use this KQL to detect unprotected guest access:

SigninLogs 
| where UserType == "Guest" 
| where ConditionalAccessPolicies == "[]" 
| summarize Count=count() by UserPrincipalName, AppDisplayName

### 3. **Detecting Risky Locations**

Unprotected sign-ins from risky locations can indicate policy gaps:

SigninLogs 
| where LocationDetails.countryCode == "RU" or LocationDetails.countryCode == "CN" 
| where ConditionalAccessPolicies == "[]" 
| project UserPrincipalName, IPAddress, Location

### 4. **Analyzing Device Compliance Gaps**

Non-compliant devices accessing resources without CA enforcement pose risks:

SigninLogs 
| where DeviceDetail.isCompliant == false 
| where ConditionalAccessPolicies == "[]" 
| project UserPrincipalName, DeviceDetail

### 5. **Automating Gap Detection with Azure Workbooks**

Import the Conditional Access Gap Analyzer Workbook and customize KQL queries to reduce false positives.

### 6. **Remediation Steps**

  • Block high-risk countries in CA policies.
  • Enforce MFA for guest users.
  • Require compliant devices for sensitive apps.
  • Monitor anomalies with continuous KQL queries.

## What Undercode Say

KQL is a powerful tool for uncovering Conditional Access policy gaps. By analyzing sign-in logs, organizations can detect unprotected access patterns, guest user vulnerabilities, and non-compliant device access. Automation through Azure Workbooks enhances detection efficiency. Always refine KQL queries to minimize false positives and align with organizational policies.

### Expected Output:

  • A detailed report of unprotected sign-ins.
  • Identification of guest user risks.
  • Insights into non-compliant device access.
  • Actionable recommendations for policy improvements.

For more details, refer to the original article: Using KQL to Detect Gaps in your Conditional Access Strategy.

References:

Reported By: Activity 7309682593627537410 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: