Named and trusted networks in Azure AD logs with Log Analytics

Azure AD logs contain NetworkLocationDetails property, which contains information if network is tagged as trusted named location, or just named network location in Conditional Access.

Use cases

  • It’s much easier to understand why and how Conditional Access Policy is targeted, or bypassed (Exclusion) condition, since the logs contain now extra information about the named location in the NetworkLocationDetails property
  • Having a quick way to see when events in logs are being generated in tagged networks (named locations)


If you are interested about generally the themes here, I recommend reviewing following articles


Location condition in Azure Active Directory Conditional Access | Microsoft Docs

Log Analytics

bag_unpack plugin – Azure Data Explorer | Microsoft Docs

mv-expand operator – Azure Data Explorer | Microsoft Docs

Example queries

Expand unique NetworkLocationDetails to simple columns with sign-in logs information
  • Expands records with networkLocationDetails populated for selected projection
union AADNonInteractiveUserSignInLogs, SigninLogs
| project NetworkLocationDetails, IPAddress, UserPrincipalName, Location
| mv-expand parse_json(NetworkLocationDetails)
| evaluate bag_unpack(NetworkLocationDetails)
| distinct IPAddress, UserPrincipalName, tostring(networkNames), networkType, Location
Expand unique NetworkLocationDetails side by side with Conditional Access Results

  • Expands CA policies with networkLocationDetails populated
  • and CA policy name and result aggregated into single string

    union AADNonInteractiveUserSignInLogs, SigninLogs
    | mv-expand parse_json(NetworkLocationDetails)
    | evaluate bag_unpack(NetworkLocationDetails)
    | extend CaDetail = iff(isempty(ConditionalAccessPolicies_dynamic) == true, parse_json(ConditionalAccessPolicies_string), ConditionalAccessPolicies_dynamic)
      |mv-expand CaDetail 
    | extend caRes = strcat(CaDetail.displayName, '-', CaDetail.result)
    | distinct IPAddress, tostring(networkNames), networkType, Location, caRes

    End of blog

    With various real world use cases you can optimize and tune the queries as you want. These were just technical examples showing how to get started with the information provided

    2 comments on “Named and trusted networks in Azure AD logs with Log Analytics

    1. Christophe Humbert


      I don’t find the fields ConditionalAccessPolicies_string our _dynamic

      Would you mind explaining a bit more


      • Hi Christophe! The queries use UNION operator, which takes input of two different tables (SigninLogs and NonInteractive) – both of those logs contain information for ConditionalAccessPolicies, but types are different for these sources (String, and dynamic), thats why the output of UNION operator will in these cases produce two records instead of one. My query, just normalizes them


    Vastaa käyttäjälle Joosua Santasalo Peruuta vastaus

    Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:


    Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )


    Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

    Muodostetaan yhteyttä palveluun %s

    %d bloggaajaa tykkää tästä: