The following custom queries were developed using the Configuration Manager Sync dataset and highlight what is possible with Log Analytics integration within Configuration Manager. You are encouraged to develop custom queries to target specific resources and conditions of interest.
Different configurations can be specified using Microsoft’s API's schema with colons between the path. In Configuration Manager, this can be found in the parenthesis of the Sync Summary report: Entra ID > Security > Conditional Access > Policies (MSGraph:ConditionalAccess:Policies).
Examples
A configuration type is added/removed/changed in the portal and exported by Configuration Manager Sync
SyncLogs_CL
| where Change_Type in ('Added', 'Removed', 'Changed') and Configuration_Type in ('MSGraph:ConditionalAccess:Policies')
A specific tenant has an export/deploy/preview change. Update tenant_name_here to the correct tenant name.
SyncLogs_CL
| where Change_Type in ('Added', 'Removed', 'Changed') and Tenant == 'tenant_name_here'
A Conditional Access policy is changed from enabled to disabled or reporting only, or the policy is deleted
SyncLogs_CL
| where Change_Type in ('Added', 'Removed', 'Changed') and Configuration_Type in ('MSGraph:Identity:ConditionalAccess:Policies') and Property_Name == 'state' and Old_Property_Value == 'enabled'