KQL Search

Query Details

HomeAI ToolsDevice Query

Monitor Exclusion Into Conditional Access Policies

Query

**Monitor Exclusion into Conditional Access Policies**

**Description:**  This KQL Query helps to keep an eye on accounts that are being excluded from Conditional Access (CA) policies which they should be blocked by it and which specific field triggered the CA detection and got them excluded.

The aim of this case is to identify:

- Spot CA policies with a high number of exclusions.
- Find exclusions that don’t make sense, like skipping MFA when it’s mandatory for privileged accounts.
- Catch new exclusions that might not have been approved.
- Check how exclusions are actually working (e.g., excluding a device is fine, but if it’s connecting from risky countries or open networks, that’s a problem—hopefully, other CA policies cover this).
- Identify unexpected exclusions, which could mean an attacker got in and excluded themselves to bypass CA controls
  
```
AADSignInEventsBeta
| extend ca = todynamic(tostring(ConditionalAccessPolicies))
| mv-expand Policies = parse_json(ConditionalAccessPolicies)
| extend PolicyName = tostring(Policies.displayName),
 PolicyId = tostring(Policies.id),
 PolicyResult = tostring(Policies.result),
 EnforcedGrantControls = tostring(Policies.enforcedGrantControls),
 EnforcedSessionControls = tostring(Policies.enforcedSessionControls),
 Excluded = tostring(Policies.excludeRulesSatisfied)
| mv-expand CA_field_excluded = parse_json(Excluded)
| extend CA_field_reason_excluded = tostring(todynamic(CA_field_excluded.ruleSatisfied))
| where Excluded contains "conditional" and EnforcedGrantControls has '["Block"]'
| summarize total_CA_excluded_times= count() by AccountDisplayName,AccountUpn,Country,CA_field_reason_excluded ,EnforcedGrantControls, PolicyName, PolicyId
```

Explanation

This KQL query is designed to monitor and analyze accounts that are being excluded from Conditional Access (CA) policies in Azure Active Directory. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by accessing the AADSignInEventsBeta table, which contains sign-in event data.

  2. Extract Conditional Access Policies: The query extracts and expands the details of Conditional Access policies applied during sign-ins. It specifically looks at the policies that were triggered and resulted in exclusions.

  3. Identify Exclusions: It focuses on policies where exclusions occurred, particularly when the policy was supposed to block access (indicated by "Block" in EnforcedGrantControls).

  4. Analyze Exclusion Reasons: The query examines the reasons why certain accounts were excluded from these policies, capturing details like the account's display name, user principal name (UPN), country, and the specific field that caused the exclusion.

  5. Summarize Results: Finally, it summarizes the data by counting how many times each account was excluded from CA policies, grouped by various attributes such as account details, country, exclusion reason, and policy information.

The overall goal of this query is to help identify and investigate unusual or potentially risky exclusions from Conditional Access policies, such as:

  • Policies with a high number of exclusions.
  • Exclusions that don't align with security requirements (e.g., skipping MFA for privileged accounts).
  • Unapproved or unexpected exclusions that could indicate security issues, like an attacker bypassing controls.

Details

Sergio Albea profile picture

Sergio Albea

Released: December 23, 2024

Tables

AADSignInEventsBeta

Keywords

AADSignInEventsBetaConditionalAccessPoliciesPoliciesAccountDisplayNameAccountUpnCountry

Operators

extendtodynamictostringmv-expandparse_jsonsummarizecountbywherecontainshas

Actions