View applied Conditional Access details in the Microsoft Entra activity logs

With Conditional Access policies, you can control how your users get access to your Azure and Microsoft Entra resources. As a tenant admin, you need to be able to determine what effect your Conditional Access policies have on sign-ins to your tenant, so that you can take action if necessary. You might also need to view audit logs for recent changes to Conditional Access policies.

This article explains how to view applied Conditional Access policies in the Microsoft Entra activity logs.

Prerequisites

To see applied Conditional Access policies in the logs, administrators must have permissions to view both the logs and the policies. The least privileged built-in role that grants both permissions is Security Reader. As a best practice, you should add the Security Reader role to the related administrator accounts.

The following built-in roles grant permissions to read Conditional Access policies:

  • Security Reader
  • Security Administrator
  • Conditional Access Administrator

The following built-in roles grant permission to view activity logs:

  • Reports Reader
  • Security Reader
  • Security Administrator

Permissions

If you use a client app or the Microsoft Graph PowerShell module to pull logs from Microsoft Graph, your app needs permissions to receive the appliedConditionalAccessPolicy resource from Microsoft Graph. As a best practice, assign Policy.Read.ConditionalAccess because it's the least privileged permission.

The following permissions allow a client app to access the activity logs and any applied Conditional Access policies in the logs through Microsoft Graph:

  • Policy.Read.ConditionalAccess
  • Policy.ReadWrite.ConditionalAccess
  • Policy.Read.All
  • AuditLog.Read.All
  • Directory.Read.All

To use the Microsoft Graph PowerShell module, you also need the following least privileged permissions with the necessary access:

  • To consent to the necessary permissions: Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes Policy.Read.ConditionalAccess, AuditLog.Read.All, Directory.Read.All
  • To view the sign-in logs: Get-MgAuditLogSignIn
  • To view the audit logs: Get-MgAuditLogDirectoryAudit

For more information, see Get-MgAuditLogSignIn and Get-MgAuditLogDirectoryAudit.

Conditional Access and sign-in log scenarios

As a Microsoft Entra administrator, you can use the sign-in logs to:

  • Troubleshoot sign-in problems.
  • Check on feature performance.
  • Evaluate the security of a tenant.

Some scenarios require you to get an understanding of how your Conditional Access policies were applied to a sign-in event. Common examples include:

  • Helpdesk administrators who need to look at applied Conditional Access policies to understand if a policy is the root cause of a ticket that a user opened.
  • Tenant administrators who need to verify that Conditional Access policies have the intended effect on the users of a tenant.

You can access the sign-in logs by using the Microsoft Entra admin center, the Azure portal, Microsoft Graph, and PowerShell.

How to view Conditional Access policies

Tip

Steps in this article might vary slightly based on the portal you start from.

The activity details of sign-in logs contain several tabs. The Conditional Access tab lists the Conditional Access policies applied to that sign-in event.

  1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.
  2. Browse to Identity > Monitoring & health > Sign-in logs.
  3. Select a sign-in item from the table to view the sign-in details pane.
  4. Select the Conditional Access tab.

If you don't see the Conditional Access policies, confirm you're using a role that provides access to both the sign-in logs and the Conditional Access policies.

Conditional Access and audit log scenarios

The Microsoft Entra audit logs contain information about changes to Conditional Access policies. You can use the audit logs to find out when a policy was created, updated, or deleted.

To see when an existing Conditional Access policy was updated:

  1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.
  2. Browse to Identity > Monitoring & health > Audit logs.
  3. Set Service filter to Conditional Access.
  4. Set the Category filter to Policy.
  5. Set the Activity filter to Update conditional access policy.

You might need to adjust the date to see the changes you're looking for. The Target column shows the name of the Conditional Access policy that was updated.

To compare the current policy with the previous policy, select the audit log entry and then select the Modified properties tab.