Share via

Discrepancy between Conditional Access legacy authentication impact report and Sign-in logs

Yash Junghare 0 Reputation points
2025-05-07T09:22:30.57+00:00

Description:

We are in the process of implementing a Conditional Access policy to block legacy authentication protocols across our tenant.

To evaluate the impact before enforcement, we used Report-only mode and reviewed the “View report-only mode impact” under the Conditional Access policy targeting legacy authentication.

The Graph visualization in the Conditional Access policy impact report indicates that multiple users will be impacted by the policy. However, when we perform a detailed investigation through Sign-in logs, we see zero sign-ins using legacy authentication protocols.

Steps We Followed to Investigate:

Enabled Report-only mode on the Conditional Access policy blocking legacy authentication protocols.

Reviewed the impact report which lists several user accounts expected to be affected.

Navigated to Microsoft Entra Admin Center → Monitoring & health → Sign-in logs.

Filtered by:

User sign-ins (interactive)

  **Client App = Legacy authentication clients** (IMAP, POP, SMTP, MAPI over HTTP, Exchange ActiveSync, Autodiscover, etc.)
  
     **Status = All (Success and Failure)**
     
     No matching sign-ins were found during the same timeframe shown in the impact report.

What We Need Help With:

Clarification on how the Graph impact report determines legacy authentication usage.

Why is there a discrepancy between the impact report and the actual sign-in logs?

Is the impact report using outdated or cached data?

How can we be confident in the accuracy of the report before enforcing the block?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,563 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kancharla Saiteja 4,195 Reputation points Microsoft External Staff Moderator
    2025-05-07T16:15:21.23+00:00

    Hi @Yash Junghare,

    Based on your query, here is my understanding: You would like to block legacy authentication and check the logs of legacy authentication.

    I believe you might have configured conditional access policy as required and can also be verified using the steps provided in the document: Block legacy authentication with Conditional Access.

    To check the sign in logs for legacy authentications, please follow the steps in this document: Identify legacy authentication use.

    If you would like to use workbook for legacy authentication you go through this document: Sign-ins using legacy authentication workbook.

    If you are unable to view any impacted sign in logs, you need to make sure you follow the steps:

    1. Sign in to the Microsoft Entra admin center as at least a Reports Reader.
    2. Browse to Entra ID > Monitoring & health > Sign-in logs.
    3. Add the Client App column if it isn't shown by clicking on Columns > Client App.
    4. Select Add filters > Client App > choose all of the legacy authentication protocols and select Apply.
    5. Also perform these steps on the User sign-ins (non-interactive) tab.

    Make sure you change the timeframe is properly selected and make sure you check the non-interactive sign in as well.

    For a better view you can also view reports in insights and reporting of conditional access policy. This will give you more information on the logs and provide you better understanding.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions or if this answer does not help you, please click "Comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.