Azure workbooks can give you insights into the impact of your Conditional Access baseline. The Azure workbooks are easy to configure. Even the look-and-feels are adjustable to your preferences with KQL. I think that any good implementation starts with determining if the change has an impact on the users.
The Azure workbooks can report about Conditional Access rules that have one of the following statuses
- On Report via Azure Runbooks but can have an impact on the user.
- Report only Does not have an impact on the user it only reports if the user hits one of the rules.
How to – Configure the Azure workbook
In the table below you can see how you can configure your first the Azure workbook.
| Description | Screenshot |
| Start the Azure portal and open the storage account blade. Create a new storage account. Subscription – Fill in a subscription name Resource group – Select your resource group Storage account name – signinlogging Location – Use the tenant location Performance – Standard Account kind – Storage V2 (general purpose) Replication – Read-access geo-redundant storage |  |
| Open the Azure Active Directory blade, followed by monitoring > audit logs. You see now the option Export Data settings. Add the option diagnostics settings. Add your storage account to the option archive to a storage account. Secondly, determine your retention period. Audit logs: 30 days SignInLogs: 90 days Notes Only the SignInlogs are applicable for insights of Conditional Access settings. A storage account is a paid Azure service. Approximately 30MB of storage space per 1000 users is required every day. See pricing calculator |  |
| In this example, I configured the following policy settings Users and groups – include the Global Admins Cloud apps or actions – all Conditions – Exclude compliant devices Grant – Require Multi-Factor-Authentication Report only – no impact only logging. On – Potential impact on users and admins be careful! It’s recommended to start with report-only to mitigate the risks of blocking users and investigate first the impact via the workbook about conditional access |  |
The workbook access insights provide insights into the impact the policy has. I recommend you to use the report-only option to evaluate the impact before you enable the policy for a large group.
| Conditional Access policies are separated between enabled and report-only | Overview conditional access workbook report |
 |  |
Related blogs
- WorkplaceAsCode.com – Why do I need a second authentication factor?