Conditional Access Policy Logs
Location
Azure Portal > Entra ID > Monitoring > Sign-in logs > Conditional Access tabDescription
Per-sign-in evaluation results of all Conditional Access policies showing which policies were applied, which were not matched, and whether the grant/session controls succeeded or failed.
Forensic Value
Conditional Access logs reveal exactly which security policies were evaluated during an attacker sign-in and why access was granted. If an attacker bypassed MFA, these logs show whether it was because no CA policy required MFA for that application, the policy excluded the user, or the device was considered compliant. This directly informs remediation by identifying policy gaps exploited during the incident.
Tools Required
Collection Commands
Graph API
GET https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime ge 2024-01-01T00:00:00Z&$select=userDisplayName,appDisplayName,conditionalAccessStatus,appliedConditionalAccessPolicies&$top=999
PowerShell
Get-AzureADAuditSignInLogs -Filter "createdDateTime ge 2024-01-01 and conditionalAccessStatus eq 'failure'" -Top 500 | Export-Csv ca_failures.csv -NoTypeInformation
KQL
SigninLogs | where TimeGenerated > ago(30d) | mv-expand ConditionalAccessPolicies | where ConditionalAccessPolicies.result == "failure" | project TimeGenerated, UserPrincipalName, AppDisplayName, ConditionalAccessPolicies.displayName, ConditionalAccessPolicies.result
MITRE ATT&CK Techniques
Used in Procedures
Related Blockers
Cloud or Container Logging Coverage Missing
The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.
SaaS Audit Logging Not Enabled or Not Licensed
The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.