Visualize Sign-In Failures Due To Conditional Access Policy
Description
This KQL query visualization will return the failure types that occur in your tenant that are related to any conditional access failure. This can be used to determine which failures are related to a policy and if strange activity is being performed or if a policy needs to be tuned in a specific manner.
Query
Microsoft Sentinel
Kusto
SigninLogs
| where ResultDescription has "Conditional Access"
| summarize Total = count() by ResultType, ResultDescription
| render barchart with(title="Conditional Access Failures")