Merge pull request #5976 from MicrosoftDocs/main

Publish to live, Friday 4 AM PST, 11/15

docs/identity/monitoring-health/how-to-view-applied-conditional-access-policies.md

@@ -1,24 +1,24 @@
 ---
 title: Conditional Access and Microsoft Entra sign-in logs
-description: Learn how to view Conditional Access policies in Microsoft Entra sign-in logs so that you can assess the effect of those policies.
+description: Learn how to view Conditional Access details in Microsoft Entra sign-in logs so that you can assess the effect of your policies.
 author: shlipsey3
 manager: amycolannino
 ms.service: entra-id
 ms.topic: how-to
 ms.subservice: monitoring-health
-ms.date: 04/15/2024
+ms.date: 11/14/2024
 ms.author: sarahlipsey
 ms.reviewer: egreenberg
 
-# Customer intent: As an IT admin, I want to view applied Conditional Access policies in Microsoft Entra sign-in logs so that I can assess the effect of those policies.
+# Customer intent: As an IT admin, I want to view applied Conditional Access details in the Microsoft Entra sign-in logs so that I can assess the effect of any policies in place.
 
 ---
 
-# View applied Conditional Access policies in Microsoft Entra sign-in logs
+# View applied Conditional Access details in the Microsoft Entra sign-in logs
 
-With Conditional Access policies, you can control how your users get access to the resources of your Azure tenant. As a tenant admin, you need to be able to determine what effect your Conditional Access policies have on sign-ins to your tenant, so that you can take action if necessary.
+With Conditional Access policies, you can control how your users get access to your Azure and Microsoft Entra resources. As a tenant admin, you need to be able to determine what effect your Conditional Access policies have on sign-ins to your tenant, so that you can take action if necessary. The sign-in logs in Microsoft Entra ID give you the information that you need to assess the effect of your Conditional Access policies.
 
-The sign-in logs in Microsoft Entra ID give you the information that you need to assess the effect of your policies. This article explains how to view applied Conditional Access policies in those logs.
+This article explains how to view applied Conditional Access policies in those logs.
 
 ## Prerequisites
 
@@ -27,36 +27,28 @@ To see applied Conditional Access policies in the sign-in logs, administrators m
 The following built-in roles grant permissions to *read Conditional Access policies*:
 
 - Security Reader
-- Global Reader
 - Security Administrator
 - Conditional Access Administrator
 
 The following built-in roles grant permission to *view sign-in logs*:
 
 - Reports Reader
 - Security Reader
-- Global Reader
 - Security Administrator
 
-### Permissions for client apps
+### Permissions
 
-If you use a client app to pull sign-in logs from Microsoft Graph, your app needs permissions to receive the `appliedConditionalAccessPolicy` resource from Microsoft Graph. As a best practice, assign `Policy.Read.ConditionalAccess` because it's the least privileged permission.
+If you use a client app or the Microsoft Graph PowerShell module to pull sign-in logs from Microsoft Graph, your app needs permissions to receive the `appliedConditionalAccessPolicy` resource from Microsoft Graph. As a best practice, assign `Policy.Read.ConditionalAccess` because it's the least privileged permission.
 
-Any of the following permissions is sufficient for a client app to access applied Conditional Access policies in sign-in logs through Microsoft Graph:
+The following permissions allow a client app to access the activity logs and any applied Conditional Access policies in sign-in logs through Microsoft Graph:
 
 - `Policy.Read.ConditionalAccess`
 - `Policy.ReadWrite.ConditionalAccess`
 - `Policy.Read.All`
-
-### Permissions for PowerShell
-
-Like any other client app, the Microsoft Graph PowerShell module needs client permissions to access applied Conditional Access policies in the sign-in logs. To successfully pull applied Conditional Access policies in the sign-in logs, you must consent to the necessary permissions with your administrator account for Microsoft Graph PowerShell. As a best practice, consent to:
-
-- `Policy.Read.ConditionalAccess`
 - `AuditLog.Read.All`
 - `Directory.Read.All`
 
-The following permissions are the least privileged permissions with the necessary access:
+To use the Microsoft Graph PowerShell module, you also need the following least privileged permissions with the necessary access:
 
 - To consent to the necessary permissions: `Connect-MgGraph -Scopes Policy.Read.ConditionalAccess, AuditLog.Read.All, Directory.Read.All`
 - To view the sign-in logs: `Get-MgAuditLogSignIn`
@@ -79,20 +71,102 @@ Some scenarios require you to get an understanding of how your Conditional Acces
 
 You can access the sign-in logs by using the Microsoft Entra admin center, the Azure portal, Microsoft Graph, and PowerShell.  
 
-## View Conditional Access policies in Microsoft Entra sign-in logs
+## How to view Conditional Access policies
 <a name='view-conditional-access-policies-in-azure-ad-sign-in-logs'></a>
 
+### [Microsoft Entra admin center](#tab/microsoft-entra-admin-center)
+
 [!INCLUDE [portal update](../../includes/portal-update.md)]
 
 The activity details of sign-in logs contain several tabs. The **Conditional Access** tab lists the Conditional Access policies applied to that sign-in event.
 
-1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Reader](../role-based-access-control/permissions-reference.md#global-reader).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Reports Reader](../role-based-access-control/permissions-reference.md#reports-reader).
 1. Browse to **Identity** > **Monitoring & health** > **Sign-in logs**.
 1. Select a sign-in item from the table to view the sign-in details pane.  
 1. Select the **Conditional Access** tab.
 
 If you don't see the Conditional Access policies, confirm you're using a role that provides access to both the sign-in logs and the Conditional Access policies.
 
+### [Microsoft Graph API](#tab/microsoft-graph-api)
+
+Follow these instructions to list Microsoft Entra roles using the Microsoft Graph API in [Graph Explorer](https://aka.ms/ge).
+
+1. Sign in to the [Graph Explorer](https://aka.ms/ge).
+1. Select **GET** as the HTTP method from the dropdown. 
+1. Select the API version to **v1.0**.
+1. To get a list of Conditional Access policies, add the following query and select **Run query**.
+
+   ```http
+   GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
+   ```
+
+1. To view a specific Conditional Access policy, add the policy ID.
+
+   ```http
+   GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/{id}
+   ```
+
+For more information, review the following resources:
+
+- [conditionalAccessPolicy resource type](/graph/api/resources/conditionalaccesspolicy)
+- [signIn resource type](/graph/api/resources/signin)
+
+### [Microsoft Graph PowerShell](#tab/microsoft-graph-powershell)
+
+Follow these steps to list Microsoft Entra roles using PowerShell.
+
+1. Open a PowerShell window. If necessary, use [Install-Module](/powershell/module/powershellget/install-module) to install Microsoft Graph PowerShell. For more information, see [Prerequisites to use PowerShell or Graph Explorer](../role-based-access-control/prerequisites.md).
+
+    ```powershell
+    Install-Module Microsoft.Graph -Scope CurrentUser
+    ```
+
+2. In a PowerShell window, use [Connect-MgGraph](/powershell/microsoftgraph/authentication-commands#using-connect-mggraph) to sign in to your tenant.
+
+    ```powershell
+    Connect-MgGraph -Scopes "Policy.Read.All", "Policy.Read.ConditionalAccess"
+    ```
+
+3. Use [Get-MgIdentityConditionalAccessPolicy](/powershell/module/microsoft.graph.identity.signins/get-mgidentityconditionalaccesspolicy) to get all Conditional Access policies.
+
+    ```powershell
+    Get-MgIdentityConditionalAccessPolicy
+    ```
+
+4. To format the results as a list, use the following command:
+
+    ```powershell
+    Get-MgIdentityConditionalAccessPolicy |Format-List
+    ```
+
+The following command can be used to export sign-in logs to a CSV file, that's formatted to highlight Conditional Access related details.
+
+1. Define the output CSV file path.
+
+    ```powershell
+    $PathCsv = "C:\\temp\\ConditionalAccessSignInLogs.csv"
+    ```
+1. Retrieve the logs, filtered from a specified date, and export them to the CSV file.
+
+    ```powershell
+    $SignInLogs = Get-MgAuditLogSignIn -Filter "createdDateTime gt 2024-11-10T05:30:00.0Z" | Select-Object `
+    @{Name="ResourceName";Expression={$_.ResourceDisplayName}}, `
+    @{Name="User";Expression={$_.UserDisplayName}}, `
+    @{Name="IPv4";Expression={$_.IPAddress}}, `
+    @{Name="Location";Expression={$_.Location.City}}, `
+    @{Name="NamedLocation";Expression={$_.ConditionalAccessLocations}}, `
+    @{Name="Success/Failure/ReportOnly";Expression={$_.ConditionalAccessStatus}}, `
+    @{Name="FailureReason";Expression={$_.FailureReason}}, `
+    @{Name="Details";Expression={$_.ConditionalAccessDetails}}, `
+    @{Name="DeviceName";Expression={$_.DeviceDetail.DeviceDisplayName}}, `
+    @{Name="ClientApp";Expression={$_.ClientAppUsed}} | 
+    Export-Csv -Path $PathCsv -NoTypeInformation
+
+    Write-Host "Conditional Access SignInLogs exported to $PathCsv"
+    ```
+
+---
+
 ## Next steps
 
 - [Troubleshoot Conditional Access related sign-in problems](../conditional-access/troubleshoot-conditional-access.md#microsoft-entra-sign-in-events)

docs/identity/saas-apps/excelityglobal-tutorial.md

@@ -144,11 +144,11 @@ In this section, you'll enable B.Simon to use single sign-on by granting access
 
 ## Configure ExcelityGlobal SSO
 
-To configure single sign-on on **ExcelityGlobal** side, you need to send the **Thumbprint value** and appropriate copied URLs from the application configuration to [ExcelityGlobal support team](https://www.excelityglobal.com/contact-us). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on **ExcelityGlobal** side, you need to send the **Thumbprint value** and appropriate copied URLs from the application configuration to [ExcelityGlobal support team](https://www.dayforce.com/contact). They set this setting to have the SAML SSO connection set properly on both sides.
 
 ### Create ExcelityGlobal test user
 
-In this section, you create a user called Britta Simon in ExcelityGlobal. Work with [ExcelityGlobal support team](https://www.excelityglobal.com/contact-us) to add the users in the ExcelityGlobal platform. Users must be created and activated before you use single sign-on.
+In this section, you create a user called Britta Simon in ExcelityGlobal. Work with [ExcelityGlobal support team](https://www.dayforce.com/contact) to add the users in the ExcelityGlobal platform. Users must be created and activated before you use single sign-on.
 
 ## Test SSO