🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Azure AD

How to Generate Conditional Access Policies Report in Microsoft Entra ID

Conditional Access in Microsoft Entra ID is a key to the zero-trust model, where every access attempt is verified, and trust is never assumed. However, even a slight misconfiguration in these policies can compromise your entire security framework. That's why it's crucial to monitor CA policies and changes in Microsoft 365 to ensure they are correctly configured and up to date. In this guide, you'll learn how to check Conditional Access policies in Entra ID to maintain a robust security posture.

Solution 1
Solution 2
Important Tips
Errors and Resolution Steps
FAQs

Get Conditional Access Policies in Microsoft 365 Using PowerShell Script

Microsoft 365 Permission Required
Security Reader Least Privilege
Global Admin Most Privilege
  • In Microsoft Graph PowerShell, the 'Get-MgIdentityConditionalAccessPolicy' cmdlet is used to retrieve all Conditional Access policies and their details.
  • However, it requires complex handling to generate a detailed report and doesn't return values as identifiable names.
  • To simplify the process of reporting Conditional Access policies, we have created a dedicated PowerShell script.
  • Download the provided script and run it as an admin to get Conditional Access policies in PowerShell.
Get Conditional Access Policies in Microsoft 365 Using PowerShell Script
ExportCApolicies.ps1 NOTE: Admins often prefer the Entra admin center to manage CA policies. However, admins can only view the Conditional Access policies configured in the organization. Exporting or generating reports is not possible! Thus, to export Conditional Access policies to Excel, PowerShell is the go-to method.
AdminDroid Azure AD Reporter

Monitor Conditional Access Policies to Ensure Security!

AdminDroid's Azure AD management tool delivers comprehensive insights into your Conditional Access policies, allowing you to effortlessly analyze configurations by user, location, app, device, etc. Additionally, it organizes policies with grant and block session controls into dedicated reports, simplifying monitoring and improving security.

Monitor Blocked Sign-ins using AdminDroid Alerts

Instantly receive alerts for user sign-ins blocked by Conditional Access in your Microsoft 365 using default alert policy in AdminDroid alerting.

Find MFA Activated Users via CA Policies

Identify all users who have activated MFA via Conditional Access policies to ensure robust security for those accessing sensitive data or applications in Microsoft 365.

Discover CA Policies Applied to All for Enhanced Security

Monitor CA policies with conditions applied to all actively, as they have the potential to lock you out of your Microsoft 365 organization and cause severe consequences.

Explore Conditional Access Policies with Application Conditions

Use the CA policies with application conditions report to ensure only authorized apps access sensitive data, maintain strict control, and safeguard your organization's resources.

Track Conditional Access Policies for External Users

Analyze the Conditional Access policies for external users to maintain secure external collaborations and safeguard confidential company data.

Unlock Insights into Conditional Access Based Sign-Ins

Detect user sign-ins based on Conditional Access policies to understand secure access to resources, sign-in denials, and authentication requirements.

In conclusion, AdminDroid provides a comprehensive solution for managing Conditional Access across your organization. Every aspect of your CA policies is meticulously recorded, reported, and presented in an easy-to-understand format. This enables you to effortlessly oversee and enhance your security settings, ensuring optimal protection and policy compliance.

Explore a full range of reporting options
Download Live Demo

Important Tips

Disable Entra security defaults to use Conditional Access policies, allowing tailored security configurations that meet your organization’s needs.

Prevent missing out on critical configurations in your CA policies, like risky users, named locations, or apps, by using the Conditional Access gap analyzer workbook.

Use Conditional Access templates to deploy policies without manual effort and ensure security aligns with your organization's needs.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while exporting Conditional Access reports.

Error Don't lock yourself out! This policy will affect all of your users. We recommend applying a policy to a small set of users first to verify it behaves as expected.

This error occurs when you try to create a Conditional Access policy with the "All Users" condition.

Fix Exclude break glass or emergency accounts before creating the Conditional Access policy.

Error Get-MgIdentityConditionalAccessPolicy : The term 'Get-MgIdentityConditionalAccessPolicy' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error occurs because the required modules are not properly updated or you have not connected to the necessary module.

Fix Update the Microsoft Graph module and connect to it with required permissions. 
Update-Module Microsoft.Graph 
Connect-MgGraph -Scopes 'Policy.Read.All'

Error You cannot access this right now. Your sign-in was successful but does not meet the criteria to access this resource. For example, you might be signing in from a browser, app, or location that is restricted by your admin. Error Code: 53003

The '53003 blocked by Conditional Access' error occurs when a sign-in attempt to Microsoft 365 cloud apps is restricted due to Conditional Access policies.

Fix Verify the configured Conditional Access policies, especially those with block conditions. Ensure your Microsoft apps are updated.

Error Get-MgIdentityConditionalAccessPolicy : Authentication needed.

This error occurs when you execute the ‘Get-MgIdentityConditionalAccessPolicy’ cmdlet in PowerShell without connecting to required modules.

Fix Before executing this cmdlet, connect to Microsoft Graph PowerShell using the following command. 
Connect-MgGraph 
Get-MgIdentityConditionalAccessPolicy

Error It looks like you’re about to manage your organization’s security configurations. You must first disable security defaults before enabling a Conditional Access policy.

This error occurs when you try to create a Conditional Access policy in the Microsoft entra center without disabling the security defaults first.

Fix To resolve this error, disable security defaults by navigating to the Microsoft Entra admin center»Identity»Overview»Properties»Security defaults.

Error You must configure either the "Grant" or "Session" section.

This error occurs when you've configured the conditions but haven't set up the access controls for the respective CA policy.

Fix Configure the grant or session controls in the policy to set up access controls.
Entra ID
Frequently Asked Questions

Explore Comprehensive Conditional Access Reporting

How to identify the report-only mode Conditional Access policies?
How to audit Conditional Access policy changes?
How to detect users excluded from Conditional Access policies?
How to monitor Conditional Access policies for sign-in risks and user risks?
How to find Conditional Access policies configured with device filters?
How to identify CA policies configured for all trusted networks?

1. How to identify the report-only mode Conditional Access policies?

To effectively manage Conditional Access policies in Microsoft 365, understanding the significance of report-only mode CA policies is crucial. These policies, if left unmonitored, can introduce security vulnerabilities and compliance challenges. Therefore, it's essential to monitor them carefully to ensure they are correctly configured and enforced after analysis.

Why to monitor the report-only mode Conditional Access policies?

  • Impact Assessment: Before applying policies in the live environment, assess their impact by monitoring the Conditional Access status using report-only mode.
  • Policy Optimization: Fine-tune policies for better security without impacting productivity.
  • Compliance: Ensure policies align with regulatory and organizational requirements.
  • Comprehensive Understanding: By monitoring the report-only mode CA policies, admins can see how the CA policies work together and their combined effect.

Note: Additionally, you can use the What If tool in the Entra admin center to validate Conditional Access policies before implementing them.

You can view Conditional Access report-only policies by using filters in the Entra admin center. Microsoft 365 doesn't provide any direct report for them.

  • On the Conditional Access policies page, select Add filter.
  • Set the 'Filter' to State and for the 'Value', select only the Report-only mode.
  • Now, you can view all the report-only not applied CA policies in your Microsoft 365.

Additionally, Conditional Access report-only mode policies are not enforced but can be evaluated during sign-ins. You can check this via the Azure AD Sign-in logs under the Monitoring & Health section of the Entra admin center.

With AdminDroid, monitoring report-only mode CA policies is effortless!

  • In the All Conditional Access Policies report, set the policy state to 'Enabled For Reporting But Not Enforced' to view all report-only mode CA policies with granular details.
  • You can also view enabled and disabled Conditional Access policies by adjusting the Policy State filter to suit your needs.
report-only-mode-ca-policies

Handy Hint: Want a better view? Switch from tables to insightful dashboards by selecting Graphical View»Detailed Chart View on your CA report page. Tailor your charts with the Customize option to fit your needs perfectly.

ca-policies-detailed-view

2. How to audit Conditional Access policy changes?

If an admin notices an unauthorized policy change, that permits access from an untrusted location, it could be a sign of a compromised admin account. Catching this early is essential for taking quick action and stopping potential security breaches Microsoft 365 organizations. That's why monitoring Conditional Access policy changes is key to maintaining Microsoft 365 security. Here's how you can audit these changes:

  • Log in to the Microsoft Entra admin center and navigate to the Audit logs page in the Monitoring & health section.
  • Specify the date range you want to examine the relevant changes.
  • In the 'Service' filter, select 'Conditional Access' and click Apply.
  • Look for the Update conditional access policy activity under the 'Activity' category.
  • Choose the specific policy you want to monitor for changes.
  • Under the 'Modified Properties' tab, select 'Click here to view changes to the Conditional Access policy (Preview)' to see a detailed history of changes made to the policy.
ca-policy-changes

While Microsoft provides tools to view Conditional Access policy changes, the process often involves tedious repetition for each policy, making it difficult to efficiently track updates or changes.

Struggling to track updates across multiple Conditional Access policies? Let AdminDroid streamline it for you!

  • AdminDroid simplifies monitoring by consolidating all modified policies into one comprehensive report.
  • The 'Recently Modified Policies' report enables admins to effortlessly audit Conditional Access policy changes and proactively secure the system, ensuring comprehensive oversight and security.
recently-modified-ca-policies

3. How to detect users excluded from Conditional Access policies?

For Microsoft 365 admins, identifying users excluded from Conditional Access policies is crucial for maintaining a secure environment. Users excluded from these policies may inadvertently bypass important security measures, leaving your organization vulnerable to potential threats. Ensuring users are excluded only for proper reasons helps to strengthen your overall security posture and reduces the risk of unauthorized access.

  • Open the Conditional Access Policies page in the Microsoft Entra admin center.
  • Click on the Conditional Access policy you want to review.
  • Under the Users category, you will find one of these options if any users are excluded from this policy.
    • All users included and specific users excluded.
    • Specific users included and specific users excluded.
  • Select the appropriate option and navigate to the Exclude category.
  • You will see all the users and groups who are excluded in the CA policy.
excluded-users-in-ca-policies

Viewing users excluded from Conditional Access policies through the Microsoft Entra admin center can be time-consuming and prone to errors due to the manual steps involved. It doesn't provide a centralized view of exclusions in all CA policies, making it hard to get a complete picture of your exclusions list. The limited reporting features hinder efficient analysis and sharing.

Microsoft 365 may lack reports on Conditional Access user conditions, but AdminDroid provides the necessary visibility.

  • User Conditions on CA Policies report in AdminDroid showcases the included and excluded users for each CA policy in your Microsoft 365 environment.
  • You can easily view the excluded user conditions on CA policies with AdminDroid's dedicated filter.
user-conditions-on-ca-policies

4. How to monitor Conditional Access policies for sign-in risks and user risks?

Imagine the CEO's account is flagged for suspicious activity due to a sign-in attempt from an unfamiliar location. This is where monitoring Conditional Access (CA) policies for sign-in risk and user risk becomes vital.

Understanding sign-in risk and user risk

  • Sign-In Risk: Refers to the likelihood that a sign-in attempt might be fraudulent. It is calculated based on factors like the sign-in location, device, and user behavior patterns.
  • User Risk: The probability that an account might be compromised, assessed by analyzing the user’s activity and potential security threats.

CA policies help detect unusual behavior and enforce multi-factor authentication (MFA) to prevent unauthorized access. Regularly checking these risk-based CA policies ensures that sign-in risks and user risks are managed by the latest security measures, keeping your organization safe.

  • Open the Conditional Access policies page in the Microsoft Entra admin center.
  • Select the 'Add filter' option and set the Condition value as User risk and Sign-in risk.
  • Now, view all the Conditional Access policies based on user risk and sign-in risk configured in your organization.

Navigating multiple tabs and applying numerous filters in the Entra admin center can be tedious. This process is often time-consuming when gathering crucial details of risk-based Conditional Access policies.

Fortunately, the Policies on User Assignments report from AdminDroid simplifies monitoring risk conditions in Conditional Access policies!

  • Admins get a clear overview of user assignments and configured risk levels using this comprehensive report.
  • This enables admins to monitor effectively and make informed decisions to adjust Conditional Access policies as needed.
risk-based-ca-policies

5. How to find Conditional Access policies configured with device filters?

After the pandemic, Microsoft allowed users to access services from anywhere and anytime, accommodating a variety of devices and increasing remote work. This shift makes it crucial for admins to secure the organization's apps and data on these devices. Conditional Access policies for devices enforce critical security measures to protect against unauthorized access and data breaches.

Identifying these device-based Conditional Access policies is essential not only to ensure security but also to prevent locking out legitimate users inadvertently.

  • From the 'Conditional Access > Policies' page of Entra Admin Center, click the Add filter button.
  • Set the Condition value to Device platforms.
  • Select Apply to view only the device-based Conditional Access policies in your organization.

Unfortunately, Microsoft 365 doesn't provide explicit reports on Conditional Access policies with device and app configurations. This makes it challenging for administrators to track and manage them effectively.

Where the Microsoft 365 native method leaves off, AdminDroid steps in by offering precise reports on Conditional Access and its configurations!

  • It highlights all policies with device configurations in the 'Policies with Devices Conditions' report.
  • This report shows the device conditions in your CA policies, including policy name, included devices, excluded devices, and more.
device-based-ca-policies

Handy Hint: Quickly download and share your reports with a single click! Use the download button in the top right corner 📥 to export data in popular formats like HTML, PDF, CSV, XLS, XLSX, and RAW.

6. How to identify CA policies configured for all trusted networks?

An admin should regularly review Conditional Access (CA) policies, especially all trusted configurations, to ensure security. For instance, if certain networks previously marked as trusted are compromised during a breach, they need to be reevaluated. Regular reviews help identify and mitigate these risks, ensuring that only genuine trusted networks remain approved. This proactive approach helps maintain robust security and prevent unauthorized access from compromised locations.

  • Go to the Conditional Access Policies page in the Microsoft Entra admin center.
  • Select ‘Add filter’ and choose the Filter as Condition.
  • Set the Value as Locations.

This will list all location-based Conditional Access policies. If you have numerous policies, finding those with all trusted or custom-selected networks can be challenging as each policy must be reviewed separately. This is where native methods can be insufficient.

When Microsoft 365 native methods fall short, AdminDroid lends a hand!

  • With Conditional Access Policies with Location Conditions report from AdminDroid, you gain detailed insights and easier navigation compared to native methods.
  • By selecting 'All trusted' under Included Locations, you can easily view all policies configured with trusted location conditions and monitor key details, such as policy state, access control settings, etc.
location-based-ca-policies

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Azure AD
How to Generate Conditional Access Policies Report in Microsoft Entra ID
Azure AD Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo