Investigate Conditional Access Sign-In Logs and Policy Configuration

Conditional Access (CA) is the primary access control plane for Microsoft 365 and Entra ID. When users report being blocked, when you suspect risky sign-ins, or during a routine security review, you need visibility into two things at once: what the sign-in logs show (who signed in, from where, which policies fired, what results) and what is actually configured (custom CA policies vs. Security Defaults).

Run this recipe when:

• Users report unexpected MFA prompts, blocks, or access denials
• You are performing a monthly/quarterly security posture review
• You suspect a compromised account (risky sign-ins, unfamiliar locations)
• You are validating that newly deployed CA policies are firing as expected
• You are auditing a tenant that relies only on Security Defaults and want to understand exposure

The output is a consolidated picture: top policies by evaluation volume, policies with the highest failure rate, failed sign-ins with error codes and locations, and the list of configured CA policies (or confirmation that only Security Defaults is active).

After completing this recipe you will have:

• A breakdown of recent sign-ins by conditionalAccessStatus (success, failure, notApplied)
• Per-policy statistics: how often each CA policy was evaluated and its success/failure rate
• A list of failed sign-ins with error codes, failure reasons, IP addresses, and geolocation
• An inventory of configured Conditional Access policies, their state (enabled / disabled / report-only), and enforced grant controls
• Clear indication of whether the tenant is protected by custom CA policies or only Security Defaults
• Actionable recommendations for policy gaps (e.g., missing MFA-for-admins, legacy authentication not blocked)

Warnings and gotchas

• Read-only operation. This recipe only inspects data; it does not modify policies. Still, treat sign-in data as sensitive PII — it contains usernames, IP addresses, and geolocation.
• Licensing requirement. Full sign-in log access via Graph requires Entra ID P1 or P2. Tenants on the free tier will get limited or empty results.
• Security Defaults vs. CA. When Security Defaults is enabled, sign-ins typically show conditionalAccessStatus: notApplied because Security Defaults does not use the CA evaluation engine. That is not a misconfiguration — but it is a signal that you lack granular control.
• Log latency. Sign-in events can take 5–15 minutes to appear in the audit log. Recent events may be missing.
• Data retention. Sign-in logs are retained 7 days (free), 30 days (P1/P2). For longer retention, stream to Log Analytics / Sentinel.
• Do not disable Security Defaults without first creating equivalent or stronger custom CA policies — you will leave the tenant exposed.
• PII handling. Exports from this recipe should be stored in compliance with your data retention and privacy policies.