Sample Log Analytics queries

  • Last update on September 27th, 2024

The following custom queries were developed using the Configuration Manager Sync dataset and highlight what is possible with Log Analytics integration within Configuration Manager. You are encouraged to develop custom queries to target specific resources and conditions of interest.

Different configurations can be specified using Microsoft’s API's schema with colons between the path. In Configuration Manager, this can be found in the parenthesis of the Sync Summary report: Entra ID > Security > Conditional Access > Policies (MSGraph:ConditionalAccess:Policies).

 

 

Examples

A configuration type is added/removed/changed in the portal and exported by Configuration Manager Sync

SyncLogs_CL
| where Change_Type in ('Added', 'Removed', 'Changed') and Configuration_Type in ('MSGraph:ConditionalAccess:Policies')Copy to clipboardErrorCopied

A specific tenant has an export/deploy/preview change. Update tenant_name_here to the correct tenant name.

SyncLogs_CL
| where Change_Type in ('Added', 'Removed', 'Changed') and Tenant == 'tenant_name_here'Copy to clipboardErrorCopied

A Conditional Access policy is changed from enabled to disabled or reporting only, or the policy is deleted


SyncLogs_CL
| where Change_Type in ('Added', 'Removed', 'Changed') and Configuration_Type in ('MSGraph:ConditionalAccess:Policies') and Property_Name == 'state' and Old_Property_Value == 'enabled'Copy to clipboardErrorCopied