Azure AD Conditional Access sign-in troubleshooting tip: Flag sign-in errors for review

If you have Conditional Access configured and active within your Azure AD environment, there might be some scenario’s where users are not able to sign-in. If you want to troubleshoot these sign-in failures as an administrator you normally turn to the Azure AD sign-in logging and work from there to determine the cause of these failures.

The sign-in logs can be overwhelming though, and you might want to have a more detailed view of the exact scenario that the user is executing so that you can filter the sign-in logging to the specific part where things go wrong.

Well there is a way to accomplish that, by instructing your users to Enable flagging when they hit the error caused by Conditional Access. Here is how it works

Want to know more about Conditional Access? I’ve written a white paper on the subject which contains 95 pages, you can find the latest version below

October 2021 update of the conditional access demystified whitepaper and workflow cheat sheet

Enable flagging of sign-in errors

When a user cannot access a resource they will probably be presented with a screen like the one below

You cannot access this right now

From that screen the user can select “more details” which will bring up a screen like the one below

Troubleshooting details

This screen already has some very specific information like the Request and Correlation ID which you can use in a filter, but both ID’s are GUIDs which is not very friendly to ask your end users to supply.

We can ask user to “Enable flagging” and which will flag each sign-in event, so that we can filter on them later. Once enabled, each sign-in log will be flagged for 20 minutes. So after users enable this option, you need to ask them to reproduce the issue.

Flagging enabled

Filtering your flagged items in the Azure AD Sign-in logs

Within Azure AD sign-in logging you can create a filter using the “Flagged for review” field

Flagged for review filter option

Once enabled, only the sign-ins where the user enabled flagging will appear in the list of sign-in logs giving you a better filtering option where you can concentrate on the specific issue that the user is experiencing.

Flagged for review enabled in the sign-in log

Conclusion

Flag sign-in errors for review is a very useful feature if you are troubleshooting Azure AD sign-in errors. You have to instruct your users to use it in case of an issue and they need to reproduce the issue for the sign-ins to appear. It can be handy though to filter on the specific scenario instead of going through all the sign-ins of that user instead.

Reference

What are flagged sign-ins in Azure Active Directory? – https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-flagged-sign-ins

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.