If you have Conditional Access configured and active within your Azure AD environment, there might be some scenario’s where users are not able to sign-in. If you want to troubleshoot these sign-in failures as an administrator you normally turn to the Azure AD sign-in logging and work from there to determine the cause of these failures.
The sign-in logs can be overwhelming though, and you might want to have a more detailed view of the exact scenario that the user is executing so that you can filter the sign-in logging to the specific part where things go wrong.
Well there is a way to accomplish that, by instructing your users to Enable flagging when they hit the error caused by Conditional Access. Here is how it works
Want to know more about Conditional Access? I’ve written a white paper on the subject which contains 95 pages, you can find the latest version below
Enable flagging of sign-in errors
When a user cannot access a resource they will probably be presented with a screen like the one below
From that screen the user can select “more details” which will bring up a screen like the one below
This screen already has some very specific information like the Request and Correlation ID which you can use in a filter, but both ID’s are GUIDs which is not very friendly to ask your end users to supply.
We can ask user to “Enable flagging” and which will flag each sign-in event, so that we can filter on them later. Once enabled, each sign-in log will be flagged for 20 minutes. So after users enable this option, you need to ask them to reproduce the issue.
Filtering your flagged items in the Azure AD Sign-in logs
Within Azure AD sign-in logging you can create a filter using the “Flagged for review” field
Once enabled, only the sign-ins where the user enabled flagging will appear in the list of sign-in logs giving you a better filtering option where you can concentrate on the specific issue that the user is experiencing.
Flag sign-in errors for review is a very useful feature if you are troubleshooting Azure AD sign-in errors. You have to instruct your users to use it in case of an issue and they need to reproduce the issue for the sign-ins to appear. It can be handy though to filter on the specific scenario instead of going through all the sign-ins of that user instead.
What are flagged sign-ins in Azure Active Directory? – https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-flagged-sign-ins