How to investigate the sign-ins requiring a compliant or managed device alert
Microsoft Entra Health monitoring provides a set of tenant-level health metrics you can monitor and alerts when a potential issue or failure condition is detected. There are multiple health scenarios that can be monitored, including two related to devices:
- Sign-ins requiring a Conditional Access compliant device
- Sign-ins requiring a Conditional Access managed device
These scenarios allow you to monitor and receive alerts on user authentication that satisfies a Conditional Access policy requiring signing in from a compliant or managed device. To learn more about how Microsoft Entra Health works, see:
This article describes the health metrics related to compliant and managed devices and how to troubleshoot a potential issue when you receive an alert.
Prerequisites
There are different roles, permissions, and license requirements to view health monitoring signals and configure and receive alerts. Apart from Microsoft Entra admin roles, Microsoft Graph permissions are required to access health monitoring signals and alerts via the Microsoft Graph APIs. We recommend using a role with least privilege access to align with the Zero Trust guidance.
- A tenant with a Microsoft Entra P1 or P2 license is required to view the Microsoft Entra health scenario monitoring signals.
- A tenant with both a Microsoft Entra P1 or P2 license and at least 100 monthly active users is required to view alerts and receive alert notifications.
Required roles and permissions
Activity | Roles |
---|---|
View scenario monitoring signals and alerts and alert configurations | Reports Reader Security Reader Security Operator Security Administrator Helpdesk Administrator Global Reader |
Update alerts | Security Operator Security Administrator Helpdesk Administrator |
Update alert notification configurations | Security Administrator Helpdesk Administrator |
View and modify Conditional Access policies | Conditional Access Administrator |
View the alerts using the Microsoft Graph API | HealthMonitoringAlert.Read.All permission |
View and modify the alerts using the Microsoft Graph API | HealthMonitoringAlert.ReadWrite.All permission |
Investigate the alert and signal
Investigating an alert starts with gathering data.
- Gather the signal details and impact summary.
- For more information, see Microsoft Graph health monitoring overview.
- Run the List alerts API to retrieve all alerts for the tenant.
- Run the Get alert API to retrieve the details of a specific alert.
- Review your Intune device compliance policies.
- For more information, see Intune device compliance overview.
- Learn how to Monitor device compliance policies.
- If you're not using Intune, review your device management solution's compliance policies
- Investigate common Conditional Access issues.
- Review the sign-in logs.
- Review the sign-in log details.
- Look for users being blocked from signing in and have a compliant device policy applied.
- Check the audit logs for recent policy changes.
Mitigate common issues
The following common issues could cause a spike in sign-ins requiring a compliant or managed device. This list isn't exhaustive, but provides a starting point for your investigation.
Many users are blocked from signing in from known devices
If a large group of users are blocked from signing in to known devices, a spike could indicate that these devices have fallen out of compliance.
- Check your Intune device compliance policy.
- Check your Conditional Access device compliance policies.
User is blocked from signing in from an unknown device
If the increase in blocked sign-ins is coming from an unknown device, that spike could indicate that an attacker has acquired a user's credentials and is attempting to sign in from a device used for such attacks.
- Review the sign-in logs.
- Investigate risk with Microsoft Entra ID Protection.
- Note: Microsoft Entra ID Protection requires a Microsoft Entra P2 license.