Conditional Access Policy Logs

m365-azureAuthentication & AccessCloud Admin Portal

Location

Azure Portal > Entra ID > Monitoring > Sign-in logs > Conditional Access tab

Description

Per-sign-in evaluation results of all Conditional Access policies showing which policies were applied, which were not matched, and whether the grant/session controls succeeded or failed.

Forensic Value

Conditional Access logs reveal exactly which security policies were evaluated during an attacker sign-in and why access was granted. If an attacker bypassed MFA, these logs show whether it was because no CA policy required MFA for that application, the policy excluded the user, or the device was considered compliant. This directly informs remediation by identifying policy gaps exploited during the incident.

Tools Required

Azure PortalMicrosoft Graph APIPowerShell (AzureAD module)

Used in Procedures

Post-Incident Configuration Hardening

eradicate

Cloud Tenant Configuration Snapshot

preserve

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical