KQL Search

Query Details

HomeAI ToolsDevice Query

Purview Entra CA Block Insider Risk

Query

# Microsoft Purview - Entra ID - Conditional Access - Block - Insider Risk

## Query Information

### Description

Identify Conditional Acces block events due to Microsoft Purview Insider Risk.

#### References

### Microsoft Sentinel

```kql
SigninLogs
| where ResultType == "53003"
| mv-expand ConditionalAccessPolicies
| extend CAdisplayName = tostring(ConditionalAccessPolicies.displayName)
| where CAdisplayName has "Insider Risk"
| extend EnforcedGrantControls = tostring(parse_json(tostring(ConditionalAccessPolicies.enforcedGrantControls))[0])
| where EnforcedGrantControls == "Block"
| where ConditionalAccessPolicies.result == "failure"
| project TimeGenerated, UserPrincipalName, AppDisplayName, ClientAppUsed, IPAddress, Location, CAdisplayName
```

Explanation

This query is designed to identify specific sign-in events where access was blocked due to Conditional Access policies related to "Insider Risk" in Microsoft Purview. Here's a simple breakdown of what the query does:

  1. Source Data: It starts by looking at the SigninLogs, which contain records of sign-in attempts.

  2. Filter by Result Type: It filters these logs to only include events with a ResultType of "53003", which indicates that access was blocked by a Conditional Access policy.

  3. Expand Conditional Access Policies: It expands the ConditionalAccessPolicies field to examine each policy applied during the sign-in attempt.

  4. Filter by Policy Name: It checks if the policy name (CAdisplayName) includes the term "Insider Risk".

  5. Check Enforced Controls: It further filters to ensure that the enforced grant control is "Block", meaning the policy explicitly blocked access.

  6. Filter by Policy Result: It ensures that the result of the policy application was a "failure", indicating that the block was enforced.

  7. Select Relevant Information: Finally, it selects and displays specific details about these events, including the time they occurred, the user's principal name, the application they were trying to access, the client app used, their IP address, location, and the name of the Conditional Access policy.

In summary, this query helps identify instances where users were blocked from accessing resources due to Conditional Access policies aimed at mitigating insider risks.

Details

Alex Verboon profile picture

Alex Verboon

Released: August 29, 2025

Tables

SigninLogs

Keywords

MicrosoftPurviewEntraIDConditionalAccessBlockInsiderRiskSigninLogsUserAppIPAddressLocation

Operators

wheremv-expandextendtostringparse_jsonhasproject

Actions