Merge pull request #211618 from ShawnJackson/how-to-view-applied-conditional-access-policies

itechedit · web-flow · commit 86800f34c6ee · 2022-09-21T10:18:04.000-07:00
edit pass: how-to-view-applied-conditional-access-policies
diff --git a/articles/active-directory/reports-monitoring/how-to-view-applied-conditional-access-policies.md b/articles/active-directory/reports-monitoring/how-to-view-applied-conditional-access-policies.md
@@ -1,7 +1,7 @@
 ---
 
-title: How to view applied conditional access policies in the Azure AD sign-in logs | Microsoft Docs
-description: Learn how to view applied conditional access policies in the Azure AD sign-in logs
+title: View applied Conditional Access policies in Azure AD sign-in logs
+description: Learn how to view Conditional Access policies in Azure AD sign-in logs so that you can assess the impact of those policies.
 services: active-directory
 documentationcenter: ''
 author: MarkusVi
@@ -19,45 +19,35 @@ ms.reviewer: besiler
 ms.collection: M365-identity-device-management
 ---
 
-# How to: View applied conditional access policies in the Azure AD sign-in logs
+# View applied Conditional Access policies in Azure AD sign-in logs
 
-With conditional access policies, you can control, how your users get access to the resources of your Azure tenant. As a tenant admin, you need to be able to determine what impact your conditional access policies have on sign-ins to your tenant, so that you can take action if necessary. The sign-in logs in Azure AD provide you with the information you need to assess the impact of your policies.
-
-  
-This article explains how you can get access to the information about applied conditional access policies. 
+With Conditional Access policies, you can control how your users get access to the resources of your Azure tenant. As a tenant admin, you need to be able to determine what impact your Conditional Access policies have on sign-ins to your tenant, so that you can take action if necessary. 
 
+The sign-in logs in Azure Active Directory (Azure AD) give you the information that you need to assess the impact of your policies. This article explains how to view applied Conditional Access policies in those logs.
 
 ## What you should know
 
 As an Azure AD administrator, you can use the sign-in logs to:
 
-- Troubleshoot sign in problems
-- Check on feature performance
-- Evaluate security of a tenant
-
-Some scenarios require you to get an understanding for how your conditional access policies were applied to a sign-in event. Common examples include:
-
-- **Helpdesk administrators** who need to look at applied conditional access policies to understand if a policy is the root cause of a ticket opened by a user. 
-
-- **Tenant administrators** who need to verify that conditional access policies have the intended impact on the users of a tenant.
+- Troubleshoot sign-in problems.
+- Check on feature performance.
+- Evaluate the security of a tenant.
 
+Some scenarios require you to get an understanding of how your Conditional Access policies were applied to a sign-in event. Common examples include:
 
-You can access the sign-in logs using the Azure portal, MS Graph, and PowerShell.  
+- *Helpdesk administrators* who need to look at applied Conditional Access policies to understand if a policy is the root cause of a ticket that a user opened. 
 
+- *Tenant administrators* who need to verify that Conditional Access policies have the intended impact on the users of a tenant.
 
+You can access the sign-in logs by using the Azure portal, Microsoft Graph, and PowerShell.  
 
 ## Required administrator roles 
 
+To see applied Conditional Access policies in the sign-in logs, administrators must have permissions to view both the logs and the policies.
 
-To see applied conditional access policies in the sign-in logs, administrators must have permissions to:  
-
-- View sign-in logs 
-- View conditional access policies
-
-The least privileged built-in role that grants both permissions is the **Security Reader**. As a best practice, your global administrator should add the **Security Reader** role to the related administrator accounts. 
-
+The least privileged built-in role that grants both permissions is *Security Reader*. As a best practice, your global administrator should add the Security Reader role to the related administrator accounts. 
 
-The following built in roles grant permissions to read conditional access policies:
+The following built-in roles grant permissions to read Conditional Access policies:
 
 - Global Administrator 
 
@@ -70,7 +60,7 @@ The following built in roles grant permissions to read conditional access polici
 - Conditional Access Administrator 
 
 
-The following built in roles grant permission to view sign-in logs: 
+The following built-in roles grant permission to view sign-in logs: 
 
 - Global Administrator 
 
@@ -82,64 +72,57 @@ The following built in roles grant permission to view sign-in logs:
 
 - Reports Reader 
 
-
 ## Permissions for client apps 
 
-If you use a client app to pull sign-in logs from Graph, your app needs permissions to receive the **appliedConditionalAccessPolicy** resource from Graph. As a best practice, assign **Policy.Read.ConditionalAccess** because it's the least privileged permission. Any of the following permissions is sufficient for a client app to access applied CA policies in sign-in logs through Graph: 
+If you use a client app to pull sign-in logs from Microsoft Graph, your app needs permissions to receive the `appliedConditionalAccessPolicy` resource from Microsoft Graph. As a best practice, assign `Policy.Read.ConditionalAccess` because it's the least privileged permission. 
 
-- Policy.Read.ConditionalAccess 
+Any of the following permissions is sufficient for a client app to access applied certificate authority (CA) policies in sign-in logs through Microsoft Graph: 
 
-- Policy.ReadWrite.ConditionalAccess 
+- `Policy.Read.ConditionalAccess` 
 
-- Policy.Read.All 
+- `Policy.ReadWrite.ConditionalAccess` 
 
- 
+- `Policy.Read.All` 
 
 ## Permissions for PowerShell 
 
-Like any other client app, the Microsoft Graph PowerShell module needs client permissions to access applied conditional access policies in the sign-in logs. To successfully pull applied conditional access in the sign-in logs, you must consent to the necessary permissions with your administrator account for MS Graph PowerShell. As a best practice, consent to:
+Like any other client app, the Microsoft Graph PowerShell module needs client permissions to access applied Conditional Access policies in the sign-in logs. To successfully pull applied Conditional Access policies in the sign-in logs, you must consent to the necessary permissions with your administrator account for Microsoft Graph PowerShell. As a best practice, consent to:
 
-- Policy.Read.ConditionalAccess
-- AuditLog.Read.All 
-- Directory.Read.All 
+- `Policy.Read.ConditionalAccess`
+- `AuditLog.Read.All` 
+- `Directory.Read.All` 
 
 These permissions are the least privileged permissions with the necessary access. 
 
 To consent to the necessary permissions, use: 
 
-` Connect-MgGraph -Scopes Policy.Read.ConditionalAccess, AuditLog.Read.All, Directory.Read.All `
+`Connect-MgGraph -Scopes Policy.Read.ConditionalAccess, AuditLog.Read.All, Directory.Read.All`
 
 To view the sign-in logs, use: 
 
-`Get-MgAuditLogSignIn `
-
-The output of this cmdlet contains a **AppliedConditionalAccessPolicies** property that shows all the conditional access policies applied to the sign-in. 
+`Get-MgAuditLogSignIn`
 
 For more information about this cmdlet, see [Get-MgAuditLogSignIn](https://learn.microsoft.com/powershell/module/microsoft.graph.reports/get-mgauditlogsignin?view=graph-powershell-1.0).
 
-The AzureAD Graph PowerShell module doesn't support viewing applied conditional access policies; only the Microsoft Graph PowerShell module returns applied conditional access policies.  
+The Azure AD Graph PowerShell module doesn't support viewing applied Conditional Access policies. Only the Microsoft Graph PowerShell module returns applied Conditional Access policies.  
 
 ## Confirming access 
 
-In the **Conditional Access** tab, you see a list of conditional access policies applied to that sign-in event.  
-
+On the **Conditional Access** tab, you see a list of Conditional Access policies applied to that sign-in event. 
 
-To confirm that you have admin access to view applied conditional access policies in the sign-ins logs, do: 
+To confirm that you have admin access to view applied Conditional Access policies in the sign-in logs: 
 
-1. Navigate to the Azure portal. 
+1. Go to the Azure portal. 
 
-2. In the top-right corner, select your directory, and then select **Azure Active Directory** in the left navigation pane. 
+2. In the upper-right corner, select your directory, and then select **Azure Active Directory** on the left pane. 
 
 3. In the **Monitoring** section, select **Sign-in logs**. 
 
-4. Click an item in the sign-in row table to bring up the Activity Details: Sign-ins context pane.  
-
-5. Click on the Conditional Access tab in the context pane. If your screen is small, you may need to click the ellipsis […] to see all context pane tabs.  
-
-
+4. Select an item in the sign-in table to open the **Activity Details: Sign-ins context** pane.  
 
+5. Select the **Conditional Access** tab on the context pane. If your screen is small, you might need to select the ellipsis (**...**) to see all tabs on the context pane.  
 
 ## Next steps
 
-* [Sign-ins error codes reference](./concept-sign-ins.md)
-* [Sign-ins report overview](concept-sign-ins.md)
+* [Sign-in error code reference](./concept-sign-ins.md)
+* [Sign-in report overview](concept-sign-ins.md)
