Identity Visualize Conditional Access Failures
Query
//Visualizes conditional access policy failures over time by policy name
//Data connector required for this query - Azure Active Directory - Signin Logs
let start = now(-90d);
let end = now();
let timeframe= 12h;
SigninLogs
| project TimeGenerated, ResultType, ConditionalAccessPolicies
| where ResultType == 53003
| mv-expand ConditionalAccessPolicies
| where ConditionalAccessPolicies.result == "failure"
| extend ['CA Policy Name'] = tostring(ConditionalAccessPolicies.displayName)
| make-series ['Failure Count'] = count() default=0 on TimeGenerated in range(start, end, timeframe) by ['CA Policy Name']
| render timechart with (title="Conditional access policy failure over time")Explanation
This query visualizes the failures of conditional access policies over time. It uses the Azure Active Directory - Signin Logs data connector. The query retrieves the time generated, result type, and conditional access policies from the SigninLogs table. It filters the results to only include failures (result type 53003) and expands the conditional access policies. It then creates a series of failure counts for each conditional access policy name within a specified time range. Finally, it renders a time chart with the title "Conditional access policy failure over time."
Details

Matt Zorich
Released: June 17, 2022
Tables
SigninLogs
Keywords
ConditionalAccessPoliciesResultTypeTimeGenerated
Operators
projectwheremv-expandextendmake-seriesrender