Azure AD

How to Generate Conditional Access Policies Report in Entra ID

Conditional Access is a key to the zero-trust model, where every access attempt is verified, and trust is never assumed. However, even a slight misconfiguration in these policies can compromise your entire security framework. That's why it's crucial to continuously monitor Conditional Access policies and their changes in Microsoft 365, ensuring that every policy is correctly configured and up to date. In this guide, you'll learn how to effectively generate and interpret Conditional Access policy reports in Azure AD, helping you maintain a robust security posture.

Using PowerShell Script

Microsoft 365 Permission Required

Global Admin, Security Admin, Security Reader, or Global Reader.

In Microsoft Graph PowerShell, the 'Get-MgIdentityConditionalAccessPolicy' cmdlet is used to retrieve all Conditional Access policies and their details.
However, it requires complex handling to generate a detailed report and doesn't return values as identifiable names.
To simplify the process of reporting Conditional Access policies, we have created a dedicated PowerShell script.
Download the provided script and run it in an Administrator PowerShell.

ExportCApolicies.ps1

NOTE: Admins often prefer the Entra admin center to manage CA policies. However, admins can only view the Conditional Access policies configured in the organization. Exporting or generating reports is not possible! Thus, to export CA policies and generate reports, PowerShell is the go-to method.

Using AdminDroid
Simple & Quick

AdminDroid Permission Required Delegated

Any user with report access assigned by the Super Admin.

Open the AdminDroid Microsoft 365 Reporter.
Navigate to the All Conditional Access Policies report under Analytics»Conditional Access Policies Analytics»Policy Configured»All Policies.

AdminDroid Azure AD Reporter

Ensure Security by Effectively Monitoring Conditional Access Policies!

AdminDroid's Azure AD management tool delivers comprehensive insights into your Conditional Access policies, allowing you to effortlessly analyze configurations by user, location, app, device, etc. Additionally, it organizes policies with grant and block session controls into dedicated reports, simplifying monitoring and improving security.

Monitor Blocked Sign-ins using AdminDroid Alerts

Instantly receive notifications for user sign-ins blocked by Conditional Access in your Microsoft 365 using default alert policy in AdminDroid alerting.

Find MFA Activated Users via CA Policies

Identify all Microsoft 365 users who have activated MFA via Conditional Access policies, ensuring robust security for those accessing sensitive data or applications.

Discover CA Policies Applied to All for Enhanced Security

Monitor CA policies with conditions applied to all actively, as they have the potential to lock you out of your Microsoft 365, leading to severe consequences.

Explore Conditional Access Policies with Application Conditions

Use the CA policies with application conditions report to ensure only authorized apps access sensitive data, maintaining strict control and safeguarding your organization's resources.

Track Conditional Access Policies for External Users

Analyze the Conditional Access policies for external users to maintain secure external collaborations and safeguard confidential company data.

Unlock Insights into Conditional Access Based Sign-Ins

Detect user sign-ins based on Conditional Access policies to understand how they securely access resources, including details on sign-in denials and authentication requirements.

In conclusion, AdminDroid provides a comprehensive solution for managing Conditional Access across your organization. Every aspect of your CA policies is meticulously recorded, reported, and presented in an easy-to-understand format. This enables you to effortlessly oversee and enhance your security settings, ensuring optimal protection and policy compliance.

Explore a full range of reporting options

Download Live Demo

Important Tips

Disable security defaults to use Conditional Access policies, allowing tailored security configurations that meet your organization’s needs.

Prevent missing out on critical configurations in your CA policies, like risky users, named locations, or apps, by using the Conditional Access gap analyzer workbook.

Use Conditional Access templates to deploy policies without manual effort, ensuring the organization aligns with security best practices.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while exporting Conditional Access reports.

Error Don't lock yourself out! This policy will affect all of your users. We recommend applying a policy to a small set of users first to verify it behaves as expected.

This error occurs when you try to activate a Conditional Access policy with the "All Users" condition.

Fix Exclude break glass or emergency accounts before creating the Conditional Access policy.

Error Get-MgIdentityConditionalAccessPolicy : The term 'Get-MgIdentityConditionalAccessPolicy' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error occurs because the required modules are not properly updated or you have not connected to the necessary module.

Fix Update the Microsoft Graph module and connect to it.

Update-Module Microsoft.Graph  

Connect-MgGraph

Error You cannot access this right now. Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location that is restricted by your admin. Error Code: 53003

This error occurs when a sign-in attempt is blocked due to Conditional Access restrictions while signing into Microsoft 365 cloud apps.

Fix Verify the configured Conditional Access policies, especially those with block conditions. Ensure your Microsoft apps are updated.

Error Get-MgIdentityConditionalAccessPolicy : Authentication needed.

This error occurs when you execute the ‘Get-MgIdentityConditionalAccessPolicy’ cmdlet in PowerShell without connecting to required modules.

Fix Before executing this cmdlet, connect to Microsoft Graph PowerShell using the following command.

Connect-MgGraph 

Get-MgIdentityConditionalAccessPolicy

Error It looks like you’re about to manage your organization’s security configurations. You must first disable security defaults before enabling a Conditional Access policy.

This error occurs when you try to create a Conditional Access policy in the Microsoft entra center without disabling the security defaults first.

Fix To resolve this error, disable security defaults by navigating to the .

Error You must configure either the "Grant" or "Session" section.

This error occurs when you've configured the conditions but haven't set up the access controls for the respective CA policy.

Fix Configure the grant or session controls in the policy to set up access controls.

Entra ID

Frequently Asked Questions

Explore Comprehensive Conditional Access Reporting

How to identify the report-only mode Conditional Access policies?

To effectively manage Conditional Access policies in Microsoft 365, understanding the significance of report-only mode CA policies is crucial. These policies, if left unmonitored, can introduce security vulnerabilities and compliance challenges. Therefore, it's essential to monitor them carefully to ensure they are correctly configured and enforced after analysis.

Why to Monitor the Report-Only Mode Conditional Access Policies?

Impact Assessment: Before applying policies in the live environment, assess their impact by monitoring them in report-only mode.
Policy Optimization: Fine-tune policies for better security without impacting productivity.
Compliance: Ensure policies align with regulatory and organizational requirements.
Comprehensive Understanding: By monitoring the report-only mode CA policies, admins can see how the CA policies work together and their combined effect.

You can view the report-only mode CA policies by using filters in the Entra admin center. Microsoft 365 doesn't provide any direct report for them.

On the Conditional Access policies page, select Add filter.
Set the 'Filter' to State and for the 'Value', select only the Report-only mode.
Now, you can view all the report-only mode CA policies in your Microsoft 365.

Additionally, report-only mode CA policies are not enforced but can be evaluated during sign-ins. You can check this via the Azure AD Sign-in logs under the Monitoring & Health section of the Entra admin center.

With AdminDroid, monitoring report-only mode CA policies is effortless!

In the All Conditional Access Policies report, set the policy state to 'enabled for reporting but not enforced' to view all report-only mode CA policies with granular details.
You can also view enabled and disabled Conditional Access policies by adjusting the policy state filter to suit your needs.

Handy Hint: Want a better view? Switch from tables to insightful dashboards by selecting Graphical View»Detailed Chart View on your CA report page. Tailor your charts with the Customize option to fit your needs perfectly.

How to audit Conditional Access policy changes?

If an admin notices an unauthorized policy change, that permits access from an untrusted location, it could be a sign of a compromised admin account. Catching this early is vital for taking quick action and stopping potential security breaches. That's why monitoring Conditional Access policy changes is key to maintaining Microsoft 365 security. Here's how you can audit these changes:

Login to the Microsoft Entra admin center and navigate to the Audit logs page in the Monitoring & health section.
Specify the date range you want to examine the relevant changes.
In the 'Service' filter, select 'Conditional Access' and click Apply.
Look for the Update conditional access policy activity under the 'Activity' category.
Choose the specific policy you want to monitor for changes.
Under the 'Modified Properties' tab, select 'Click here to view changes to the Conditional Access policy (Preview)' to see a detailed history of changes made to the policy.

While Microsoft provides tools to view Conditional Access policy changes, the process often involves tedious repetition for each policy, making it difficult to efficiently track updates or changes.

Struggling to track updates across multiple Conditional Access policies? Let AdminDroid streamline it for you!

AdminDroid simplifies monitoring by consolidating all modified policies into one comprehensive report.
The 'Recently Modified Policies' report enables admins to effortlessly audit Conditional Access policy changes and proactively secure the system, ensuring comprehensive oversight and security.

How to detect users excluded from Conditional Access policies?

For Microsoft 365 admins, identifying users excluded from Conditional Access policies is crucial for maintaining a secure environment. Users excluded from these policies may inadvertently bypass important security measures, leaving your organization vulnerable to potential threats. Ensuring users are excluded only for proper reasons helps to strengthen your overall security posture and reduces the risk of unauthorized access.

Open the Conditional Access Policies page in the Microsoft Entra admin center.
Click on the Conditional Access policy you want to review.
Under the Users category, you will find one of these options if any users are excluded from this policy.
- All users included and specific users excluded.
- Specific users included and specific users excluded.
Select the appropriate option and navigate to the Exclude category.
You will see all the users and groups who are excluded in the CA policy.

Viewing users excluded from Conditional Access policies through the Microsoft Entra admin center can be time-consuming and prone to errors due to the manual steps involved. It doesn't provide a centralized view of exclusions in all CA policies, making it hard to get a complete picture of your exclusions list. The limited reporting features hinder efficient analysis and sharing.

Microsoft 365 may lack reports on Conditional Access user conditions, but AdminDroid provides the necessary visibility.

User Conditions on CA Policies report in AdminDroid showcases the included and excluded users for each CA policy in your Microsoft 365 environment.
You can easily view the excluded user conditions on CA policies with AdminDroid's dedicated filter.

How to monitor Conditional Access policies for sign-in risks and user risks?

Imagine the CEO's account is flagged for suspicious activity due to a sign-in attempt from an unfamiliar location. This is where monitoring Conditional Access (CA) policies for sign-in risk and user risk becomes vital.

Understanding Sign-In Risk and User Risk:

Sign-In Risk: Refers to the likelihood that a sign-in attempt might be fraudulent. It is calculated based on factors like the sign-in location, device, and user behavior patterns.
User Risk: The probability that an account might be compromised, assessed by analyzing the user’s activity and potential security threats.

CA policies help detect unusual behavior and enforce multi-factor authentication (MFA) to prevent unauthorized access. Regularly checking these CA policies ensures that sign-in risks and user risks are managed by the latest security measures, keeping your organization safe.

Open the Conditional Access policies page in the Microsoft Entra admin center.
Select the 'Add filter' option and set the Condition value as User risk and Sign-in risk.
Now, view all the Conditional Access policies based on user risk and sign-in risk configured in your organization.

Navigating multiple tabs and applying numerous filters in the Entra admin center can be tedious. This process is often time-consuming when gathering crucial details of risk-based Conditional Access policies.

Fortunately, the Policies on User Assignments report from AdminDroid simplifies monitoring risk conditions in Conditional Access policies!

Admins get a clear overview of user assignments and configured risk levels using this comprehensive report.
This enables admins to monitor effectively and make informed decisions to adjust Conditional Access policies as needed.

How to find Conditional Access policies configured with device filters?

After the pandemic, Microsoft allowed users to access services from anywhere and anytime, accommodating a variety of devices and increasing remote work. This shift makes it crucial for admins to secure the organization's apps and data on these devices. Conditional Access policies for devices enforce critical security measures to protect against unauthorized access and data breaches.

Identifying these device-based Conditional Access policies is essential not only to ensure security but also to prevent locking out legitimate users inadvertently.

From the 'Conditional Access > Policies' page of Entra Admin Center, click the Add filter button.
Set the Condition value to Device platforms.
Select Apply to view only the device-based Conditional Access policies in your organization.

Unfortunately, Microsoft 365 doesn't provide explicit reports on Conditional Access policies with device and app configurations. This makes it challenging for administrators to track and manage them effectively.

Where the native method leaves off, AdminDroid steps in by offering precise reports on Conditional Access and its configurations!

It highlights all policies with device configurations in the 'Policies with Devices Conditions' report.
This report shows the device conditions in your CA policies, including policy name, included devices, excluded devices, and more.

Handy Hint: Quickly download and share your reports with a single click! Use the download button in the top right corner 📥 to export data in popular formats like HTML, PDF, CSV, XLS, XLSX, and RAW.

How to identify CA policies configured for all trusted networks?

An admin should regularly review Conditional Access (CA) policies, especially all trusted configurations, to ensure security. For instance, if certain networks previously marked as trusted are compromised during a breach, they need to be reevaluated. Regular reviews help identify and mitigate these risks, ensuring that only genuine trusted networks remain approved. This proactive approach helps maintain robust security and prevent unauthorized access from compromised locations.

Go to the Conditional Access Policies page in the Microsoft Entra admin center.
Select ‘Add filter’ and choose the Filter as Condition.
Set the Value as Locations.

This will list all location-based Conditional Access policies. If you have numerous policies, finding those with all trusted or custom-selected networks can be challenging as each policy must be reviewed separately. This is where native methods can be insufficient.

When native methods fall short, AdminDroid lends a hand!

With AdminDroid's Conditional Access Policies with Location Conditions report, you gain detailed insights and easier navigation compared to native methods.
By selecting 'All trusted' under Included Locations, you can easily view all policies configured with trusted location conditions and monitor key details, such as policy state, access control settings, etc.