Edit

Share via


Monitor and troubleshoot continuous access evaluation

Administrators can monitor and troubleshoot sign in events where continuous access evaluation (CAE) is applied in multiple ways.

Continuous access evaluation sign-in reporting

Administrators can monitor user sign-ins where continuous access evaluation (CAE) is applied. This information is found in the Microsoft Entra sign-in logs:

  1. Sign in to the Microsoft Entra admin center as at least a Security Reader.
  2. Browse to Entra ID > Monitoring & health > Sign-in logs.
  3. Apply the Is CAE Token filter.

Screenshot showing how to add a filter to the sign-in log to see where CAE is being applied or not.

From here, admins are presented with information about their user’s sign-in events. Select any sign-in to see details about the session, like which Conditional Access policies applied and if CAE enabled.

There are multiple sign-in requests for each authentication. Some are on the interactive tab, while others are on the non-interactive tab. CAE is only marked true for one of the requests it can be on the interactive tab or non-interactive tab. Admins must check both tabs to confirm whether the user's authentication is CAE enabled or not.

Searching for specific sign-in attempts

Sign-in logs show success and failure events. Use filters to narrow your search. For example, if a user signs in to Teams, apply the Application filter and set it to Teams. Admins might need to check the sign-ins from both interactive and non-interactive tabs to locate the specific sign-in. To further narrow the search, admins might apply multiple filters.

Continuous access evaluation workbooks

The continuous access evaluation insights workbook lets admins view and monitor CAE usage insights for their tenants. The table shows authentication attempts with IP mismatches. This workbook is available as a template under the Conditional Access category.

Accessing the CAE workbook template

You need to complete Log Analytics integration before workbooks are shown. To learn how to stream Microsoft Entra sign-in logs to a Log Analytics workspace, see Integrate Microsoft Entra logs with Azure Monitor logs.

  1. Sign in to the Microsoft Entra admin center as at least a Security Reader.
  2. Browse to Entra ID > Monitoring & health > Workbooks.
  3. Under Public Templates, search for Continuous access evaluation insights.

The Continuous access evaluation insights workbook contains the following table:

Potential IP address mismatch between Microsoft Entra ID and resource provider

The potential IP address mismatch between Microsoft Entra ID and resource provider table lets admins investigate sessions where the IP address detected by Microsoft Entra ID doesn't match the IP address detected by the resource provider.

This workbook table highlights these scenarios by showing the respective IP addresses and whether a CAE token was issued during the session.

Continuous access evaluation insights per sign-in

The continuous access evaluation insights per sign-in page in the workbook connects multiple requests from the sign-in logs and displays a single request where a CAE token was issued.

This workbook is useful, for example, when a user opens Outlook on their desktop and tries to access resources in Exchange Online. This sign-in action might map to multiple interactive and non-interactive sign-in requests in the logs making issues hard to diagnose.

IP address configuration

Your identity provider and resource providers might see different IP addresses. This mismatch can occur due to the following reasons:

  • Your network implements split tunneling.
  • Your resource provider is using an IPv6 address and Microsoft Entra ID is using an IPv4 address.
  • Because of network configurations, Microsoft Entra ID sees one IP address from the client and your resource provider sees a different IP address from the client.

If this scenario exists in your environment, to avoid infinite loops, Microsoft Entra ID issues a one-hour CAE token and doesn't enforce client location change during that one-hour period. Even in this case, security is improved compared to traditional one-hour tokens since we're still evaluating the other events besides client location change events.

Admins can view records filtered by time range and application, and compare the number of mismatched IPs detected with the total number of sign-ins during a specified period.

To unblock users, admins can add specific IP addresses to a trusted named location.

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Entra ID > Conditional Access > Named locations. Here you can create or update trusted IP locations.

Note

Before adding an IP address as a trusted named location, confirm that the IP address belongs to the intended organization.

For more information about named locations, see Using the location condition.