Conditional Access
Stop clicking around. Start hunting.
KQL Queries
Kusto Query Language (KQL) is the fastest way to slice through Microsoft Entra sign-in logs and find what matters. Instead of digging through endless menus, KQL gives you answers in seconds. Want to know why users are blocked? Determine within seconds whether a Conditional Access policy is causing chaos? KQL queries do the heavy lifting so you can focus on fixing problems, not hunting for them.
-
SigninLogs
| where RiskLevelDuringSignIn in ("high", "medium")
| where ConditionalAccessStatus == "notApplied”
| project TimeGenerated, UserPrincipalName, RiskLevelDuringSignIn, IPAddress -
SigninLogs
// Begin with the table containing interactive sign-in events from Microsoft Entra| where TimeGenerated >= ago(7d)
// Limit result| where ResultType == 53003 or Status.errorCode == 53003
// Filter sign-ins that returned error code 53003 (BlockedByConditionalAccess)
| extend FailureReason = coalesce(Status.additionalDetails, Status.failureReason)
// Add a friendly column explaining why the sign-in was blocked (prefer detailed text if available)
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, Location = tostring(LocationDetails), ResultType, FailureReason
// Select only the most useful columns for triage: timestamp, user, app, IP, location, result code, and failure reason
| order by TimeGenerated desc
// Show most recent failures first
-
Item description
-
Item description