View applied Conditional Access details in the Microsoft Entra sign-in logs
With Conditional Access policies, you can control how your users get access to your Azure and Microsoft Entra resources. As a tenant admin, you need to be able to determine what effect your Conditional Access policies have on sign-ins to your tenant, so that you can take action if necessary. The sign-in logs in Microsoft Entra ID give you the information that you need to assess the effect of your Conditional Access policies.
This article explains how to view applied Conditional Access policies in those logs.
Prerequisites
To see applied Conditional Access policies in the sign-in logs, administrators must have permissions to view both the logs and the policies. The least privileged built-in role that grants both permissions is Security Reader. As a best practice, you should add the Security Reader role to the related administrator accounts.
The following built-in roles grant permissions to read Conditional Access policies:
- Security Reader
- Security Administrator
- Conditional Access Administrator
The following built-in roles grant permission to view sign-in logs:
- Reports Reader
- Security Reader
- Security Administrator
Permissions
If you use a client app or the Microsoft Graph PowerShell module to pull sign-in logs from Microsoft Graph, your app needs permissions to receive the appliedConditionalAccessPolicy resource from Microsoft Graph. As a best practice, assign Policy.Read.ConditionalAccess because it's the least privileged permission.
The following permissions allow a client app to access the activity logs and any applied Conditional Access policies in sign-in logs through Microsoft Graph:
Policy.Read.ConditionalAccessPolicy.ReadWrite.ConditionalAccessPolicy.Read.AllAuditLog.Read.AllDirectory.Read.All
To use the Microsoft Graph PowerShell module, you also need the following least privileged permissions with the necessary access:
- To consent to the necessary permissions:
Connect-MgGraph -Scopes Policy.Read.ConditionalAccess, AuditLog.Read.All, Directory.Read.All - To view the sign-in logs:
Get-MgAuditLogSignIn
For more information about this cmdlet, see Get-MgAuditLogSignIn.
Conditional Access and sign-in log scenarios
As a Microsoft Entra administrator, you can use the sign-in logs to:
- Troubleshoot sign-in problems.
- Check on feature performance.
- Evaluate the security of a tenant.
Some scenarios require you to get an understanding of how your Conditional Access policies were applied to a sign-in event. Common examples include:
Helpdesk administrators who need to look at applied Conditional Access policies to understand if a policy is the root cause of a ticket that a user opened.
Tenant administrators who need to verify that Conditional Access policies have the intended effect on the users of a tenant.
You can access the sign-in logs by using the Microsoft Entra admin center, the Azure portal, Microsoft Graph, and PowerShell.
How to view Conditional Access policies
Tip
Steps in this article might vary slightly based on the portal you start from.
The activity details of sign-in logs contain several tabs. The Conditional Access tab lists the Conditional Access policies applied to that sign-in event.
- Sign in to the Microsoft Entra admin center as at least a Reports Reader.
- Browse to Identity > Monitoring & health > Sign-in logs.
- Select a sign-in item from the table to view the sign-in details pane.
- Select the Conditional Access tab.
If you don't see the Conditional Access policies, confirm you're using a role that provides access to both the sign-in logs and the Conditional Access policies.