CA User SignIn Failures
Conditional Access User Failures
Query
SigninLogs
| where ResultType != 0
| where ResultDescription has "Conditional Access"
| summarize Total = count(), ResultTypes = make_set(ResultType), ResultDescriptions = make_set(ResultDescription) by UserPrincipalName
| sort by TotalAbout this query
Explanation
This KQL query is designed to identify users who have experienced failed sign-in attempts due to Conditional Access (CA) policy failures. Here's a simple breakdown of what the query does:
-
Data Source: It starts by looking at the
SigninLogs, which contains records of sign-in attempts. -
Filter for Failures: It filters out successful sign-ins by selecting only those entries where the
ResultTypeis not equal to 0, indicating a failure. -
Focus on Conditional Access: It further narrows down the results to those failures specifically related to Conditional Access by checking if the
ResultDescriptioncontains the phrase "Conditional Access". -
Summarize Data: For each user (identified by
UserPrincipalName), it counts the total number of failed sign-ins and collects the different types of result codes (ResultTypes) and descriptions (ResultDescriptions) associated with these failures. -
Sort Results: Finally, it sorts the users by the total number of failed sign-ins, likely to identify those with the most issues.
In essence, this query helps identify users who are frequently blocked by Conditional Access policies, which could indicate misconfigured policies or potential security threats, such as adversaries attempting to use stolen credentials.
