Azure
Add Conditional Access Insights Workbook for Microsoft Entra ID
Required items, please complete
Change(s):
Added ConditionalAccessSISM.json workbook to Solutions/Microsoft Entra ID/Workbooks/ New comprehensive Conditional Access monitoring workbook for Microsoft Sentinel Provides real-time insights into CA policies using AuditLogs and SigninLogs Includes user monitoring, workload identity analysis, and emergency account tracking Reason for Change(s):
Enhances Microsoft Entra ID solution set with specialized Conditional Access monitoring capabilities Addresses gap in comprehensive CA policy analysis and monitoring tools Provides administrators with actionable insights for Zero Trust implementation Supports both user accounts and workload identities in CA policy evaluation Version Updated:
N/A (New workbook submission, not updating existing detection/analytic rule) Testing Completed:
Yes - Workbook has been tested in Microsoft Sentinel environment Validated with AuditLogs and SigninLogs data sources Confirmed compatibility with Log Analytics workspace queries Tested across multiple CA policy scenarios and configurations All KQL queries execute successfully without custom parsers or functions Checked that the validations are passing and have addressed any issues that are present:
Yes - Workbook follows standard JSON structure for Microsoft Sentinel workbooks All queries use standard Microsoft Entra ID log tables (AuditLogs, SigninLogs, AADServicePrincipalSignInLogs, AADRiskyServicePrincipals) No custom parsers or functions required Workbook structure aligns with existing Microsoft Entra ID workbooks in the repository
I saw the last error. I uploaded two images and updated the meta file. Please review.
@sreedharande I updated the meta file. It seemed the array was duplicate.