|
| 1 | +--- |
| 2 | +title: Conditional Access block policy health scenario |
| 3 | +description: Learn about the Microsoft Entra Health signals and alerts for Conditional Access block policy health scenarios |
| 4 | +author: shlipsey3 |
| 5 | +manager: femila |
| 6 | +ms.service: entra-id |
| 7 | +ms.topic: how-to |
| 8 | +ms.subservice: monitoring-health |
| 9 | +ms.date: 04/25/2025 |
| 10 | +ms.author: sarahlipsey |
| 11 | +ms.reviewer: sarbar |
| 12 | + |
| 13 | +# Customer intent: As an IT admin, I want to understand the health of my tenant through identity related signals and alerts so I can proactively address issues and maintain a healthy tenant. |
| 14 | +--- |
| 15 | + |
| 16 | +# How to investigate the Conditional Access block policy alert |
| 17 | + |
| 18 | +Microsoft Entra Health monitoring provides a set of tenant-level health metrics you can monitor and alerts for when a potential issue or failure condition is detected. There are multiple health scenarios that can be monitored, including Conditional Access block policies. To learn more about how Microsoft Entra Health works, see: |
| 19 | + |
| 20 | +- [What is Microsoft Entra Health?](concept-microsoft-entra-health.md) |
| 21 | +- [How to use Microsoft Entra health monitoring signals and alerts](howto-use-health-scenario-alerts.md) |
| 22 | + |
| 23 | +This article describes the health metrics related to Conditional Access block policies, such as it unexpectedly blocking users from accessing resources or the policy not working as intended. |
| 24 | + |
| 25 | +> [!IMPORTANT] |
| 26 | +> Microsoft Entra Health scenario monitoring and alerts are currently in PREVIEW. |
| 27 | +> This information relates to a prerelease product that might be substantially modified before release. Microsoft makes no warranties, expressed or implied, with respect to the information provided here. |
| 28 | +
|
| 29 | +## Prerequisites |
| 30 | + |
| 31 | +There are different roles, permissions, and license requirements to view health monitoring signals and configure and receive alerts. We recommend using a role with least privilege access to align with the [Zero Trust guidance](/security/zero-trust/zero-trust-overview). |
| 32 | + |
| 33 | +- A tenant with a [Microsoft Entra P1 or P2 license](../../fundamentals/get-started-premium.md) is required to *view* the Microsoft Entra health scenario monitoring signals. |
| 34 | +- A tenant with both a [Microsoft Entra P1 or P2 license](../../fundamentals/get-started-premium.md) *and* at least 100 monthly active users is required to *view alerts* and *receive alert notifications*. |
| 35 | +- The [Reports Reader](../role-based-access-control/permissions-reference.md#reports-reader) role is the least privileged role required to *view scenario monitoring signals, alerts, and alert configurations*. |
| 36 | +- The [Helpdesk Administrator](../role-based-access-control/permissions-reference.md#helpdesk-administrator) is the least privileged role required to *update alerts* and *update alert notification configurations*. |
| 37 | +- The [Conditional Access Administrator](../role-based-access-control/permissions-reference.md#conditional-access-administrator) role is required to *view and modify Conditional Access policies*. |
| 38 | +- The `HealthMonitoringAlert.Read.All` permission is required to *view the alerts using the Microsoft Graph API*. |
| 39 | +- The `HealthMonitoringAlert.ReadWrite.All` permission is required to *view and modify the alerts using the Microsoft Graph API*. |
| 40 | +- For a full list of roles, see [Least privileged role by task](../role-based-access-control/delegate-by-task.md#microsoft-entra-health-least-privileged-roles). |
| 41 | + |
| 42 | +## Investigate the alert and signal |
| 43 | + |
| 44 | +Investigating an alert starts with gathering data. With Microsoft Entra Health in the Microsoft Entra admin center, you can view the signal and alert details in one place. You can also view the signals and alerts using the Microsoft Graph API. For more information, see [How to investigate health scenario alerts](../monitoring-health/howto-investigate-health-scenario-alerts.md) for guidance on how to gather data using the Microsoft Graph API. |
| 45 | + |
| 46 | +1. Sign into the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Reports Reader](../role-based-access-control/permissions-reference.md#reports-reader). |
| 47 | + |
| 48 | +1. Browse to **Identity** > **Monitoring and health** > **Health**. The page opens to the Service Level Agreement (SLA) Attainment page. |
| 49 | + |
| 50 | +1. Select the **Health Monitoring** tab. |
| 51 | + |
| 52 | +1. Select the **Conditional Access block policy** scenario and then select an active alert. |
| 53 | + |
| 54 | +1. View the signal from the **View data graph** section to get familiar with the pattern and identify anomalies. |
| 55 | + |
| 56 | +1. Investigate common Conditional Access issues. |
| 57 | + - [Troubleshoot Conditional Access sign-in problems](../conditional-access/troubleshoot-conditional-access.md). |
| 58 | + - [Block access example policy](../conditional-access/policy-block-example.md). |
| 59 | + |
| 60 | +1. Review the sign-in logs. |
| 61 | + - [Review the sign-in log details](concept-sign-in-log-activity-details.md). |
| 62 | + - Look for sign-ins where the Conditional Access status is "failure." |
| 63 | + |
| 64 | +1. Check the audit logs for recent policy changes. |
| 65 | + - [Use the audit logs to troubleshoot Conditional Access policy changes](../conditional-access/troubleshoot-policy-changes-audit-log.md). |
| 66 | + |
| 67 | +## Understand the signal |
| 68 | + |
| 69 | +The Microsoft Entra Health signal for Conditional Access block policy could trigger an alert if there's a spike or dip in the number of users blocked from accessing resources due to a Conditional Access policy. |
| 70 | + |
| 71 | +- A spike could mean a new policy was enabled or an existing policy was modified to target a broader set of users and resources. |
| 72 | +- A dip could mean that a policy was disabled or modified to target a smaller set of users and resources. |
| 73 | + |
| 74 | +These changes could be intentional or unintentional. |
| 75 | + |
| 76 | +- If the change was intentional, no other action is likely needed. |
| 77 | +- If the change is unintentional, you should review the modified Conditional Access policy in the audit logs. |
| 78 | + |
| 79 | +## Mitigate common issues |
| 80 | + |
| 81 | +The following common issues could cause the Conditional Access block policy alert to trigger an alert. This list isn't exhaustive, but provides a starting point for your investigation. |
| 82 | + |
| 83 | +### Many users are receiving the "You can’t get there from here" message |
| 84 | + |
| 85 | +The Conditional Access block alert can trigger if there’s an increase in the "You can’t get there from here" error message during sign-in. This message appears if the application the user is trying to access can only be accessed from devices or client applications that meet the organization’s mobile device management policy. |
| 86 | + |
| 87 | +- A spike in a large number of users receiving this alert could indicate a change to the organization’s mobile device management policy. |
| 88 | +- A spike for a few users could indicate an issue with their specific device. |
| 89 | + |
| 90 | +To investigate: |
| 91 | + |
| 92 | +Go to the **Affected entities** section of the selected scenario and select **View** for users. |
| 93 | + |
| 94 | +- If the issue is affecting a larger number of users, there might be a change to the mobile device management policy that you need to address. |
| 95 | +- If the issue is affecting a few users, it could be related to their specific device. They might need to join their devices to the organization's network. Select a user to navigate directly to their profile. |
| 96 | + |
| 97 | +To remediate issues affecting a large number of users: |
| 98 | + |
| 99 | +1. Review the audit logs to see what changes were made to your Conditional Access policies. |
| 100 | + - Filter to **Category: Policy** and look for the following events: |
| 101 | + - **Add conditional access policy** |
| 102 | + - **Delete conditional access policy** |
| 103 | + - **Update conditional access policy** |
| 104 | + |
| 105 | +  |
| 106 | + |
| 107 | + - You can also use the following Microsoft Graph API queries: |
| 108 | + - GET `https://graph.microsoft.com/beta/auditLogs/directoryAudits?$filter=loggedByService eq 'Conditional Access'` |
| 109 | + - GET `https://graph.microsoft.com/beta/auditLogs/directoryAudits?$filter=loggedByService eq 'Conditional Access' and operationType eq 'Update'` |
| 110 | + - GET `https://graph.microsoft.com/beta/auditLogs/directoryAudits?$filter=loggedByService eq 'Conditional Access' and operationType eq ‘Add’` |
| 111 | + - GET `https://graph.microsoft.com/beta/auditLogs/directoryAudits?$filter=loggedByService eq 'Conditional Access' and operationType eq 'Delete'` |
| 112 | + - GET `https://graph.microsoft.com/beta/auditLogs/directoryAudits?$filter=loggedByService eq 'Conditional Access' and activityDateTime ge 2024-12-04T22:03:57.2013763Z` |
| 113 | + |
| 114 | +1. Review your mobile device management policies to ensure they're configured correctly. Sign in to the [Microsoft Intune admin center](https://intune.microsoft.com/) as an [Intune Administrator](../role-based-access-control/permissions-reference.md#intune-administrator) and browse to **Devices** > **Configuration** to review your policies. |
| 115 | + |
| 116 | +To remediate issues affecting specific users: |
| 117 | + |
| 118 | +- Join their work-owned device to the organization's network. |
| 119 | +- Register their personal device with the organization's network. |
| 120 | + |
| 121 | +## Related content |
| 122 | + |
| 123 | +- [Learn about Conditional Access and Intune](/mem/intune/protect/conditional-access) |
| 124 | +- [How to investigate health scenario alerts](howto-investigate-health-scenario-alerts.md) |
0 commit comments