Before automating, you can manually check sign-in logs in Azure AD:
- Go to Azure AD → Security → Conditional Access → Insights & Reporting.
- Use filters to view blocked sign-ins, MFA-required logins, and policy failures.
- Analyze sign-in failures to identify patterns or misconfigurations.
However, manual checking is inefficient—let’s automate it using PowerShell & Azure Monitor!
Automating Conditional Access Sign-In Monitoring with PowerShell
Step 1: Install Required PowerShell Modules
First, ensure you have the necessary modules installed.
powershellCopyEditInstall-Module -Name Microsoft.Graph -Scope CurrentUser -Force
Step 2: Connect to Microsoft Graph API
Authenticate to retrieve sign-in logs:
powershellCopyEditConnect-MgGraph -Scopes "AuditLog.Read.All"
Step 3: Retrieve Conditional Access Sign-Ins
powershellCopyEdit$SignIns = Get-MgAuditLogSignIn | Where-Object { $_.ConditionalAccessStatus -ne "notApplied" }
$SignIns | Select-Object UserDisplayName, UserPrincipalName, ConditionalAccessStatus, RiskLevelDuringSignIn, ClientAppUsed, IPAddress, CreatedDateTime | Format-Table -AutoSize
This script retrieves all sign-ins where Conditional Access was applied and displays relevant details.
📌 ConditionalAccessStatus: Displays whether access was granted, blocked, or required MFA.
📌 RiskLevelDuringSignIn: Shows the login’s risk score (High, Medium, Low).
📌 IPAddress: Helps track login attempts from suspicious locations.
🔹 Automating Monitoring with Azure Monitor & Log Analytics
Instead of running scripts manually, we can automate monitoring using Azure Monitor and Log Analytics.
Step 4: Configure Log Analytics to Store Sign-In Logs
- Go to Azure Portal → Log Analytics Workspaces.
- Create a new workspace (or use an existing one).
- Navigate to Azure AD Diagnostic Settings:
- Select AuditLogs and SignInLogs
- Send logs to Log Analytics.
- Click Save.
Now, all sign-ins will be stored for query and automation.
🔹 Step 5: Query Conditional Access Sign-In Logs in Azure Monitor
Once logs are stored in Log Analytics, you can query them using Kusto Query Language (KQL):
kqlCopyEditSigninLogs
| where ConditionalAccessStatus == "failure"
| project UserDisplayName, UserPrincipalName, AppDisplayName, IPAddress, ConditionalAccessPolicies, TimeGenerated
| order by TimeGenerated desc
This query identifies blocked sign-ins due to Conditional Access.
🔹 Step 6: Set Up Alerting for Suspicious Sign-Ins
To receive email notifications for suspicious login attempts:
- Go to Azure Monitor → Alerts → New Alert Rule.
- Select Log Analytics as the resource.
- Use the KQL query above as the condition.
- Set Action Group → Email, SMS, or Teams notification.
- Click Create Alert Rule.
🚀 Now, you’ll be notified of any failed Conditional Access logins!
🔹 Summary
✅ Conditional Access protects against unauthorized access.
✅ Monitoring sign-ins ensures policies are effective.
✅ PowerShell & KQL queries help automate log analysis.
✅ Azure Monitor alerts proactively notify of threats.
By combining Conditional Access with automated monitoring, you strengthen your organization’s security posture while reducing the risk of unauthorized access.