photo 1531206715517 5c0ba140b2b8

Insights in privilege accounts via workbooks

Azure workbooks can give you insights into the impact of your Conditional Access baseline. The Azure workbooks are easy to configure. Even the look-and-feels are adjustable to your preferences with KQL. I think that any good implementation starts with determining if the change has an impact on the users.

The Azure workbooks can report about Conditional Access rules that have one of the following statuses

  • On Report via Azure Runbooks but can have an impact on the user.
  • Report only Does not have an impact on the user it only reports if the user hits one of the rules.

How to – Configure the Azure workbook

In the table below you can see how you can configure your first the Azure workbook.

DescriptionScreenshot
Start the Azure portal and open the storage account blade. Create a new storage account.    

Subscription – Fill in a subscription name
Resource group – Select your resource group
Storage account name – signinlogging
Location – Use the tenant location
Performance – Standard
Account kind – Storage V2 (general purpose)
Replication – Read-access geo-redundant storage
CAD Storage account
Open the Azure Active Directory blade, followed by monitoring > audit logs. You see now the option Export Data settings. Add the option diagnostics settings.
 
Add your storage account to the option archive to a storage account. Secondly, determine your retention period.
 
Audit logs: 30 days
SignInLogs: 90 days
 
Notes
Only the SignInlogs are applicable for insights of Conditional Access settings.
A storage account is a paid Azure service. Approximately 30MB of storage space per 1000 users is required every day. See pricing calculator
CAD Diagnostics settings
In this example, I configured the following policy settings
 
Users and groups – include the Global Admins
Cloud apps or actions – all
Conditions – Exclude compliant devices
Grant – Require Multi-Factor-Authentication
 
Report only – no impact only logging.
On – Potential impact on users and admins be careful!  
 
It’s recommended to start with report-only to mitigate the risks of blocking users and investigate first the impact via the workbook about conditional access
CAD policy report only

The workbook access insights provide insights into the impact the policy has. I recommend you to use the report-only option to evaluate the impact before you enable the policy for a large group.

Conditional Access policies are separated between enabled and report-only Overview conditional access workbook report
CAD Access insightsCAD Overview Conditional Access
Related blogs

Leave a Reply

Your email address will not be published. Required fields are marked *