Merge pull request #226222 from shlipsey3/reports-backlog-items-020323

v-regandowner · web-flow · commit d740a3a1dc86 · 2023-02-03T12:35:55.000-05:00
reports-backlog-items
diff --git a/articles/active-directory/reports-monitoring/how-to-view-applied-conditional-access-policies.md b/articles/active-directory/reports-monitoring/how-to-view-applied-conditional-access-policies.md
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.topic: how-to
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 10/31/2022
+ms.date: 02/03/2023
 ms.author: sarahlipsey
 ms.reviewer: besiler 
 
@@ -32,41 +32,30 @@ As an Azure AD administrator, you can use the sign-in logs to:
 
 Some scenarios require you to get an understanding of how your Conditional Access policies were applied to a sign-in event. Common examples include:
 
-- *Helpdesk administrators* who need to look at applied Conditional Access policies to understand if a policy is the root cause of a ticket that a user opened. 
+- Helpdesk administrators who need to look at applied Conditional Access policies to understand if a policy is the root cause of a ticket that a user opened. 
 
-- *Tenant administrators* who need to verify that Conditional Access policies have the intended effect on the users of a tenant.
+- Tenant administrators who need to verify that Conditional Access policies have the intended effect on the users of a tenant.
 
 You can access the sign-in logs by using the Azure portal, Microsoft Graph, and PowerShell.  
 
 ## Required administrator roles 
 
-To see applied Conditional Access policies in the sign-in logs, administrators must have permissions to view both the logs and the policies.
+To see applied Conditional Access policies in the sign-in logs, administrators must have permissions to view *both* the logs and the policies. The least privileged built-in role that grants *both* permissions is *Security Reader*. As a best practice, your Global Administrator should add the Security Reader role to the related administrator accounts. 
 
-The least privileged built-in role that grants both permissions is *Security Reader*. As a best practice, your global administrator should add the Security Reader role to the related administrator accounts. 
-
-The following built-in roles grant permissions to read Conditional Access policies:
+The following built-in roles grant permissions to *read Conditional Access policies*:
 
 - Global Administrator 
-
 - Global Reader 
-
 - Security Administrator 
-
 - Security Reader 
-
 - Conditional Access Administrator 
 
-
-The following built-in roles grant permission to view sign-in logs: 
+The following built-in roles grant permission to *view sign-in logs*: 
 
 - Global Administrator 
-
 - Security Administrator 
-
 - Security Reader 
-
 - Global Reader 
-
 - Reports Reader 
 
 ## Permissions for client apps 
@@ -76,9 +65,7 @@ If you use a client app to pull sign-in logs from Microsoft Graph, your app need
 Any of the following permissions is sufficient for a client app to access applied certificate authority (CA) policies in sign-in logs through Microsoft Graph: 
 
 - `Policy.Read.ConditionalAccess` 
-
 - `Policy.ReadWrite.ConditionalAccess` 
-
 - `Policy.Read.All` 
 
 ## Permissions for PowerShell 
@@ -89,37 +76,28 @@ Like any other client app, the Microsoft Graph PowerShell module needs client pe
 - `AuditLog.Read.All` 
 - `Directory.Read.All` 
 
-These permissions are the least privileged permissions with the necessary access. 
-
-To consent to the necessary permissions, use: 
-
-`Connect-MgGraph -Scopes Policy.Read.ConditionalAccess, AuditLog.Read.All, Directory.Read.All`
-
-To view the sign-in logs, use: 
+The following permissions are the least privileged permissions with the necessary access:
 
-`Get-MgAuditLogSignIn`
+- To consent to the necessary permissions: `Connect-MgGraph -Scopes Policy.Read.ConditionalAccess, AuditLog.Read.All, Directory.Read.All`
+- To view the sign-in logs: `Get-MgAuditLogSignIn`
 
 For more information about this cmdlet, see [Get-MgAuditLogSignIn](/powershell/module/microsoft.graph.reports/get-mgauditlogsignin).
 
 The Azure AD Graph PowerShell module doesn't support viewing applied Conditional Access policies. Only the Microsoft Graph PowerShell module returns applied Conditional Access policies.  
 
-## Confirming access 
-
-On the **Conditional Access** tab, you see a list of Conditional Access policies applied to that sign-in event. 
-
-To confirm that you have admin access to view applied Conditional Access policies in the sign-in logs: 
-
-1. Go to the Azure portal. 
-
-2. In the upper-right corner, select your directory, and then select **Azure Active Directory** on the left pane. 
+## View Conditional Access policies in Azure AD sign-in logs
 
-3. In the **Monitoring** section, select **Sign-in logs**. 
+The activity details of sign-in logs contain several tabs. The **Conditional Access** tab lists the Conditional Access policies applied to that sign-in event. 
 
-4. Select an item in the sign-in table to open the **Activity Details: Sign-ins context** pane.  
+1. Sign in to the [Azure portal](https://portal.azure.com) using the Security Reader role.
+1. In the **Monitoring** section, select **Sign-in logs**. 
+1. Select  a sign-in item from the table to open the **Activity Details: Sign-ins context** pane.  
+1. Select the **Conditional Access** tab.
 
-5. Select the **Conditional Access** tab on the context pane. If your screen is small, you might need to select the ellipsis (**...**) to see all tabs on the context pane.  
+If you don't see the Conditional Access policies, confirm you're using a role that provides access to both the sign-in logs and the Conditional Access policies.
 
 ## Next steps
 
-* [Sign-in error code reference](./concept-sign-ins.md)
-* [Sign-in report overview](concept-sign-ins.md)
+* [Troubleshoot sign-in problems](../conditional-access/troubleshoot-conditional-access.md#azure-ad-sign-in-events)
+* [Review the Conditional Access sign-in logs FAQs](reports-faq.yml#conditional-access)
+* [Learn about the sign-in logs](concept-sign-ins.md)
diff --git a/articles/active-directory/reports-monitoring/overview-reports.md b/articles/active-directory/reports-monitoring/overview-reports.md
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.topic: overview
 ms.workload: identity
 ms.subservice: report-monitor
-ms.date: 11/01/2022
+ms.date: 02/03/2023
 ms.author: sarahlipsey
 ms.reviewer: sarbar  
 
@@ -70,6 +70,6 @@ In addition to the user interface, Azure AD also provides you with [programmatic
 
 ## Next steps
 
-- [Risky sign-ins report](../identity-protection/overview-identity-protection.md)
+- [Risky sign-ins report](../identity-protection/howto-identity-protection-investigate-risk.md#risky-sign-ins)
 - [Audit logs report](concept-audit-logs.md)
 - [Sign-ins logs report](concept-sign-ins.md)
