|
| 1 | +--- |
| 2 | +title: Monitor and troubleshoot sign-ins with continuous access evaluation in Azure AD |
| 3 | +description: Troubleshoot and respond to changes in user state faster with continuous access evaluation in Azure AD |
| 4 | + |
| 5 | +services: active-directory |
| 6 | +ms.service: active-directory |
| 7 | +ms.subservice: conditional-access |
| 8 | +ms.topic: how-to |
| 9 | +ms.date: 09/13/2021 |
| 10 | + |
| 11 | +ms.author: joflore |
| 12 | +author: MicrosoftGuyJFlo |
| 13 | +manager: daveba |
| 14 | +ms.reviewer: jlu |
| 15 | + |
| 16 | +ms.collection: M365-identity-device-management |
| 17 | +--- |
| 18 | +# Monitor and troubleshoot continuous access evaluation |
| 19 | + |
| 20 | +Administrators can monitor and troubleshoot sign in events where [continuous access evaluation (CAE)](concept-continuous-access-evaluation.md) is applied in multiple ways. |
| 21 | + |
| 22 | +## Continuous access evaluation sign-in reporting |
| 23 | + |
| 24 | +Administrators will have the opportunity to monitor user sign-ins where CAE is applied. This pane can be located by via the following instructions: |
| 25 | + |
| 26 | +1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. |
| 27 | +1. Browse to **Azure Active Directory** > **Sign-ins**. |
| 28 | +1. Apply the **Is CAE Token** filter. |
| 29 | + |
| 30 | +[  ](./media/howto-continuous-access-evaluation-troubleshoot/azure-ad-sign-ins-log-apply-filter.png#lightbox) |
| 31 | + |
| 32 | +From here, admins will be presented with information about their user’s sign-in events. Select any sign-in to see details about the session, like which Conditional Access policies were applied and is CAE enabled. |
| 33 | + |
| 34 | +A given sign-in attempt may display on either the interactive or non-interactive tab. Administrators may need to check both tabs as they track their user’s sign-ins. |
| 35 | + |
| 36 | +### Searching for specific sign-in attempts |
| 37 | + |
| 38 | +Use filters to narrow your search. For example, if a user signed in to Teams, use the Application filter and set it to Teams. Admins may need to check the sign-ins from both interactive and non-interactive tabs to locate the specific sign-in. To further narrow the search, admins may apply multiple filters. |
| 39 | + |
| 40 | +## Continuous access evaluation workbooks |
| 41 | + |
| 42 | +The continuous access evaluation insights workbook allows administrators to view and monitor CAE usage insights for their tenants. The first table displays authentication attempts with IP mismatches. The second table displays the support status of CAE across various applications. This workbook can be found as template under the Conditional Access category. |
| 43 | + |
| 44 | +### Accessing the CAE workbook template |
| 45 | + |
| 46 | +Log Analytics integration must be completed before workbooks are displayed. For more information about how to stream Azure AD sign-in logs to a Log Analytics workspace, see the article [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). |
| 47 | + |
| 48 | +1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. |
| 49 | +1. Browse to **Azure Active Directory** > **Workbooks**. |
| 50 | +1. Under **Public Templates**, search for **Continuous access evaluation insights**. |
| 51 | + |
| 52 | +[  ](./media/howto-continuous-access-evaluation-troubleshoot/azure-ad-workbooks-continuous-access-evaluation.png#lightbox) |
| 53 | + |
| 54 | +The **Continuous access evaluation insights** workbook contains two tables: |
| 55 | + |
| 56 | +### Table 1: Potential IP address mismatch between Azure AD and resource provider |
| 57 | + |
| 58 | + |
| 59 | + |
| 60 | +The potential IP address mismatch between Azure AD & resource provider table allows admins to investigate sessions where the IP address detected by Azure AD doesn't match with the IP address detected by the Resource Provider. |
| 61 | + |
| 62 | +This workbook table sheds light on these scenarios by displaying the respective IP addresses and whether a CAE token was issued during the session. |
| 63 | + |
| 64 | +#### IP address configuration |
| 65 | + |
| 66 | +Your identity provider and resource providers may see different IP addresses. This mismatch may happen because of the following examples: |
| 67 | + |
| 68 | +- Your network implements split tunneling. |
| 69 | +- Your resource provider is using an IPv6 address and Azure AD is using an IPv4 address. |
| 70 | +- Because of network configurations, Azure AD sees one IP address from the client and your resource provider sees a different IP address from the client. |
| 71 | + |
| 72 | +If this scenario exists in your environment, to avoid infinite loops, Azure AD will issue a one-hour CAE token and won't enforce client location change during that one-hour period. Even in this case, security is improved compared to traditional one-hour tokens since we're still evaluating the other events besides client location change events. |
| 73 | + |
| 74 | +Admins can view records filtered by time range and application. Admins can compare the number of mismatched IPs detected with the total number of sign-ins during a specified time period. |
| 75 | + |
| 76 | +To unblock users, administrators can add specific IP addresses to a trusted named location. |
| 77 | + |
| 78 | +1. Sign in to the **Azure portal** as a Conditional Access Administrator, Security Administrator, or Global Administrator. |
| 79 | +1. Browse to **Azure Active Directory** > **Security** > **Conditional Access** > **Named locations**. Here you can create or update trusted IP locations. |
| 80 | + |
| 81 | +> [!NOTE] |
| 82 | +> Before adding an IP address as a trusted named location, confirm that the IP address does in fact belong to the intended organization. |
| 83 | +
|
| 84 | +For more information about named locations, see the article [Using the location condition](location-condition.md#named-locations) |
| 85 | + |
| 86 | +### Table 2: Continuous access evaluation support status |
| 87 | + |
| 88 | + |
| 89 | + |
| 90 | +The continuous access evaluation support status table allows admins to differentiate between client applications that support CAE and those client applications that don't support CAE. The table displays the number of user sign-ins for each client application. |
| 91 | + |
| 92 | +You may notice that the same application may appear as both supported and not supported. This duplication is because of a concept called client capability. Not all clients are CAE supported and capable. For example, if a customer has some users using the latest version of Outlook and others still using an older unsupported version, that customer will see Outlook instances as supported and non supported. The older version of Outlook isn't CAE capable can't do continuous access evaluation. For users that are using the most recent version of Outlook, the admin will see supported CAE status. |
| 93 | + |
| 94 | +Based on analysis, admins may choose to turn on strict enforcement within a Conditional Access policy. When strict enforcement is turned on, any client that isn't CAE capable will be rejected entirely. Admins can view records filtered by time range, application, and resource. |
| 95 | + |
| 96 | +## Next steps |
| 97 | + |
| 98 | +- [Integrate Azure AD logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) |
| 99 | +- [Using the location condition](location-condition.md#named-locations) |
| 100 | +- [Continuous access evaluation](concept-continuous-access-evaluation.md) |
0 commit comments