KQL Search

Query Details

HomeAI ToolsDevice Query

Entra Identify And Map Authentication Context Usage

Query

//Full credit goes to https://www.chanceofsecurity.com/post/mastering-microsoft-entra-authentication-contexts-part-4-monitoring-and-reporting. I did not write this query
SigninLogs
| where TimeGenerated between (ago(30d) .. now())
| where isnotempty(AuthenticationContextClassReferences)
| extend ACR = todynamic(AuthenticationContextClassReferences)
| mv-expand ac = ACR
| extend d = todynamic(ac)
| extend AuthContextId = coalesce(tostring(d.id), tostring(ac)),
         AuthContextDetail = tolower(tostring(d.detail))
| where AuthContextDetail == "required" and isnotempty(AuthContextId)
| extend AppliedCAPs = todynamic(coalesce(column_ifexists("AppliedConditionalAccessPolicies", dynamic(null)),
                                          column_ifexists("AppliedConditionalAccessPolicies_dynamic", dynamic(null)), dynamic([]))),
         ConfigCAPs  = todynamic(coalesce(column_ifexists("ConditionalAccessPolicies", dynamic(null)),
                                          column_ifexists("ConditionalAccessPolicies_dynamic", dynamic(null)), dynamic([])))
| extend PoliciesAll = array_concat(AppliedCAPs, ConfigCAPs)
| mv-apply pol = PoliciesAll on (
    extend polId   = tostring(coalesce(pol.policyId, pol.id)),
           polName = tostring(coalesce(pol.displayName, pol.policyName)),
           polRes  = tostring(pol.result),
           polAcrs = todynamic(pol["conditions"]["applications"]["authenticationContextClassReferences"]),
           polJson = tostring(pol)
    | extend matched = iif(isnotempty(polAcrs) and array_index_of(polAcrs, AuthContextId) >= 0, 1,
                           iif(polJson has_cs "\"authenticationContextClassReferences\"" and polJson has_cs strcat("\"", AuthContextId, "\""), 1, 0))
    | project polId, polName, polRes, matched
)
| summarize
    RequiringPolicyIds   = make_set_if(polId,   matched == 1, 50),
    RequiringPolicyNames = make_set_if(polName, matched == 1, 50),
    CandidatePolicyIds   = make_set_if(polId,   polRes =~ "success", 50),
    CandidatePolicyNames = make_set_if(polName, polRes =~ "success", 50)
  by TimeGenerated, Id, UserPrincipalName, UserId,
     AppDisplayName, ResourceDisplayName, ClientAppUsed,
     AuthContextId, IPAddress, SessionId
| project
    SignInTime = TimeGenerated,
    UserPrincipalName, UserId,
    AppDisplayName, ResourceDisplayName, ClientAppUsed,
    AuthContextId,
    RequiringPolicyIds, RequiringPolicyNames,
    CandidatePolicyIds, CandidatePolicyNames,IPAddress, SessionId
| order by SignInTime desc

Explanation

This KQL (Kusto Query Language) query is designed to analyze sign-in logs from Microsoft Entra (formerly Azure Active Directory) to monitor and report on authentication contexts and conditional access policies. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by querying the SigninLogs table for sign-in events that occurred in the last 30 days.

  2. Filter for Authentication Contexts: It filters the logs to include only those entries where an AuthenticationContextClassReferences is present and required.

  3. Extract and Expand Data: The query extracts and expands the authentication context details to work with them more easily. It identifies the authentication context ID and detail.

  4. Conditional Access Policies: It retrieves both applied and configured conditional access policies related to each sign-in event.

  5. Policy Matching: The query checks if the authentication context ID matches any of the policies' authentication context class references. It identifies which policies require the authentication context and which policies were successfully applied.

  6. Summarize Results: It summarizes the data by grouping it based on several attributes like time, user, application, and session details. It creates sets of policy IDs and names that require the authentication context and those that were successfully applied.

  7. Select and Order Data: Finally, it selects relevant columns to display, such as sign-in time, user details, application details, authentication context, and policy information. The results are ordered by the sign-in time in descending order.

In essence, this query provides insights into how authentication contexts and conditional access policies are being applied to sign-in events, helping to understand security configurations and compliance in the Microsoft Entra environment.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 3, 2025

Tables

SigninLogs

Keywords

SigninLogsAuthenticationContextClassReferencesAppliedConditionalAccessPoliciesConditionalAccessPoliciesTimeGeneratedIdUserPrincipalNameUserIdAppDisplayNameResourceDisplayNameClientAppUsedAuthContextIdIPAddressSessionId

Operators

SigninLogswherebetweenagonowisnotemptyextendtodynamicmv-expandcoalescetostringtolowercolumn_ifexistsdynamicarray_concatmv-applyoniifarray_index_ofhas_csstrcatprojectsummarizemake_set_ifbyorder bydesc

Actions