Merge pull request #127567 from MicrosoftGuyJFlo/CABacklog1007878

[Azure AD] Conditional Acces - Backlog item 1007878

Author: American-Dipper

.openpublishing.redirection.json

@@ -23468,6 +23468,11 @@
       "redirect_url": "/azure/active-directory/hybrid/tshoot-connect-password-hash-synchronization",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/active-directory/conditional-access/howto-conditional-access-report-only.md",
+      "redirect_url": "/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting",
+      "redirect_document_id": true
+    },
     {
       "source_path": "articles/iot-hub/iot-hub-security-ground-up.md",
       "redirect_url": "/azure/iot-fundamentals/iot-security-ground-up",

articles/active-directory/authentication/concept-resilient-controls.md

@@ -86,7 +86,7 @@ This example policy set will grant selected users in **AppUsers**, access to sel
 
 ### Contingencies for user lockout
 
-Alternatively, your organization can also create contingency policies. To create contingency policies, you must define tradeoff criteria between business continuity, operational cost, financial cost, and security risks. For example, you may activate a contingency policy only to a subset of users, for a subset of apps, for a subset of clients, or from a subset of locations. Contingency policies will give administrators and end users access to apps and resources, during a disruption when no mitigation method was implemented. Microsoft recommends enabling contingency policies in [report-only mode](../conditional-access/howto-conditional-access-report-only.md) when not in use so that administrators can monitor the potential impact of the policies should they need to be turned on.
+Alternatively, your organization can also create contingency policies. To create contingency policies, you must define tradeoff criteria between business continuity, operational cost, financial cost, and security risks. For example, you may activate a contingency policy only to a subset of users, for a subset of apps, for a subset of clients, or from a subset of locations. Contingency policies will give administrators and end users access to apps and resources, during a disruption when no mitigation method was implemented. Microsoft recommends enabling contingency policies in [report-only mode](../conditional-access/howto-conditional-access-insights-reporting.md) when not in use so that administrators can monitor the potential impact of the policies should they need to be turned on.
 
  Understanding your exposure during a disruption helps reduce your risk and is a critical part of your planning process. To create your contingency plan, first determine the following business requirements of your organization:
 

articles/active-directory/conditional-access/TOC.yml

@@ -33,8 +33,6 @@
        href: concept-conditional-access-grant.md
      - name: Session
        href: concept-conditional-access-session.md
-  - name: Insights and reporting
-    href: howto-conditional-access-insights-reporting.md
   - name: Report-only mode
     href: concept-conditional-access-report-only.md
   - name: Service dependencies
@@ -78,6 +76,8 @@
       href: howto-conditional-access-policy-block-access.md
   - name: Block legacy authentication
     href: block-legacy-authentication.md
+  - name: Configure report only mode
+    href: howto-conditional-access-insights-reporting.md
   - name: Require approved client apps
     href: app-based-conditional-access.md
   - name: Require app protection policy
@@ -88,12 +88,8 @@
     href: untrusted-networks.md
   - name: Require terms of use
     href: terms-of-use.md
-  - name: Configure report-only mode
-    href: howto-conditional-access-report-only.md
   - name: Sign-in frequency and browser persistence controls
     href: howto-conditional-access-session-lifetime.md
-  - name: Migrate classic policies
-    href: policy-migration-mfa.md
   - name: Troubleshooting
     items:
     - name: Troubleshoot sign-in problems
@@ -102,6 +98,8 @@
       href: troubleshoot-conditional-access-what-if.md
     - name: FAQ
       href: faqs.md
+  - name: Migrate classic policies
+    href: policy-migration-mfa.md
 - name: Reference
   items:
   - name: Beta Graph APIs

articles/active-directory/conditional-access/block-legacy-authentication.md

@@ -82,7 +82,7 @@ Before you can block legacy authentication in your directory, you need to first
 
 1. Navigate to the **Azure portal** > **Azure Active Directory** > **Sign-ins**.
 1. Add the Client App column if it is not shown by clicking on **Columns** > **Client App**.
-1. **Add filters** > **Client App** > select all of the legacy authentication protocols. Select outside the filtering dialog blox to apply your selections and close the dialog box.
+1. **Add filters** > **Client App** > select all of the legacy authentication protocols. Select outside the filtering dialog box to apply your selections and close the dialog box.
 
 Filtering will only show you sign-in attempts that were made by legacy authentication protocols. Clicking on each individual sign-in attempt will show you additional details. The **Client App** field under the **Basic Info** tab will indicate which legacy authentication protocol was used.
 
@@ -119,7 +119,7 @@ You can select all available grant controls for the **Other clients** condition;
 
 ## Next steps
 
-- [Determine impact using Conditional Access report-only mode](howto-conditional-access-report-only.md)
+- [Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)
 - If you are not familiar with configuring Conditional Access policies yet, see [require MFA for specific apps with Azure Active Directory Conditional Access](../authentication/tutorial-enable-azure-mfa.md) for an example.
 - For more information about modern authentication support, see [How modern authentication works for Office 2013 and Office 2016 client apps](/office365/enterprise/modern-auth-for-office-2013-and-2016) 
-- [How to set up a multifunction device or application to send email using Office 365 and Microsoft 365](/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-3)
+- [How to set up a multifunction device or application to send email using Office 365 and Microsoft 365](/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-3)

articles/active-directory/conditional-access/concept-conditional-access-report-only.md

@@ -48,4 +48,4 @@ Administrators have the capability to create multiple policies in report-only mo
 
 ## Next steps
 
-[Configure report-only mode on a Conditional Access policy](howto-conditional-access-report-only.md)
+[Configure report-only mode on a Conditional Access policy](howto-conditional-access-insights-reporting.md)

articles/active-directory/conditional-access/howto-conditional-access-insights-reporting.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 05/01/2020
+ms.date: 08/27/2020
 
 ms.author: joflore
 author: MicrosoftGuyJFlo
@@ -94,6 +94,22 @@ View the breakdown of users or sign-ins for each of the conditions. You can filt
 
 You can also investigate the sign-ins of a specific user by searching for sign-ins at the bottom of the dashboard. The query on the left displays the most frequent users. Selecting a user will filter the query to the right.  
 
+> [!NOTE]
+> When downloading the Sign-ins logs, choose JSON format to include Conditional Access report-only result data.
+
+## Configure a Conditional Access policy in report-only mode
+
+To configure a Conditional Access policy in report-only mode:
+
+1. Sign into the **Azure portal** as a Conditional Access administrator, security administrator, or global administrator.
+1. Browse to **Azure Active Directory** > **Security** > **Conditional Access**.
+1. Select an existing policy or create a new policy.
+1. Under **Enable policy** set the toggle to **Report-only** mode.
+1. Select **Save**
+
+> [!TIP]
+> Editing the **Enable policy** state of an existing policy from **On** to **Report-only** disables existing policy enforcement. 
+
 ## Troubleshooting
 
 ### Why are queries failing due to a permissions error?
@@ -109,6 +125,10 @@ In order to access the workbook, you need the proper Azure AD permissions as wel
 
 For more information about how to stream Azure AD sign-in logs to a Log Analytics workspace, see the article [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).
 
+### Why are the queries in the workbook failing?
+
+Customers have noticed that queries sometimes fail if the wrong or multiple workspaces are associated with the workbook. To fix this problem, click **Edit** at the top of the workbook and then the Settings gear. Select and then remove workspaces that are not associated with the workbook. There should be only one workspace associated with each workbook.
+
 ### Why is the Conditional Access policies parameter is empty?
 
 The list of policies is generated by looking at the policies evaluated for the most recent sign-in event. If there are no recent sign-ins in your tenant, you may need to wait a few minutes for the workbook to load the list of Conditional Access policies. This can happen immediately after configuring Log Analytics or may take longer if a tenant doesn’t have recent sign-in activity.
@@ -131,4 +151,8 @@ You can edit and customize the workbook by going to **Azure Active Directory** >
 
 ## Next steps
 
-[Conditional Access report-only mode](concept-conditional-access-report-only.md)
+- [Conditional Access report-only mode](concept-conditional-access-report-only.md)
+
+- For more information about Azure AD workbooks, see the article, [How to use Azure Monitor workbooks for Azure Active Directory reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md).
+
+- [Conditional Access common policies](concept-conditional-access-policy-common.md)

articles/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa.md

@@ -78,6 +78,6 @@ The following steps will help create a Conditional Access policy to require thos
 
 [Conditional Access common policies](concept-conditional-access-policy-common.md)
 
-[Determine impact using Conditional Access report-only mode](howto-conditional-access-report-only.md)
+[Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)
 
 [Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)

articles/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa.md

@@ -73,6 +73,6 @@ In the example policy above, an organization may choose to not require multi-fac
 
 [Conditional Access common policies](concept-conditional-access-policy-common.md)
 
-[Determine impact using Conditional Access report-only mode](howto-conditional-access-report-only.md)
+[Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)
 
 [Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)

articles/active-directory/conditional-access/howto-conditional-access-policy-azure-management.md

@@ -56,6 +56,6 @@ The following steps will help create a Conditional Access policy to require thos
 
 [Conditional Access common policies](concept-conditional-access-policy-common.md)
 
-[Determine impact using Conditional Access report-only mode](howto-conditional-access-report-only.md)
+[Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)
 
 [Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)

articles/active-directory/conditional-access/howto-conditional-access-policy-block-access.md

@@ -35,7 +35,7 @@ Conditional Access policies are powerful tools, we recommend excluding the follo
 
 ## Create a Conditional Access policy
 
-The following steps will help create Conditional Access policies to block access to all apps except for [Office 365](concept-conditional-access-cloud-apps.md#office-365-preview) if users are not on a trusted network. These policies are put in to [Report-only mode](howto-conditional-access-report-only.md) to start so administrators can determine the impact they will have on existing users. When administrators are comfortable that the policies apply as they intend, they can switch them to **On**.
+The following steps will help create Conditional Access policies to block access to all apps except for [Office 365](concept-conditional-access-cloud-apps.md#office-365-preview) if users are not on a trusted network. These policies are put in to [Report-only mode](howto-conditional-access-insights-reporting.md) to start so administrators can determine the impact they will have on existing users. When administrators are comfortable that the policies apply as they intend, they can switch them to **On**.
 
 The first policy blocks access to all apps except for Office 365 applications if not on a trusted location.
 
@@ -81,6 +81,6 @@ A second policy is created below to require multi-factor authentication or a com
 
 [Conditional Access common policies](concept-conditional-access-policy-common.md)
 
-[Determine impact using Conditional Access report-only mode](howto-conditional-access-report-only.md)
+[Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md)
 
 [Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)