How can we help you?

A condition of IAM access has been violated (Microsoft specific)

This event means that one or more conditional access policy rules were applied to block an attempt to sign into the M365 account.   Either a Customer Admin or an MSP Admin would have created the conditional access policy which was triggered to generate this alert.  

Any sign in attempts that are blocked by conditional access can be reviewed using the Microsoft Entra Sign in Logs

https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/signInlogs

If you need to review existing conditional access policies for the tenant you can find them within Microsoft Entra Security here:

https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies

Blocking an account can take up to 24 hours to take effect. If you need to immediately prevent a user's sign-in access, follow the steps above and reset their password.

An additional note to be aware of is that a conditional access violation may be preceded by a successful login event. This occurs because SaaS Alerts picks up multiple events for these types of situations, and it is typically a result of conditional access rules being applied after the credentials have been successfully authenticated. SaaS Alerts recognizes the initial credential pass (which occurs before conditional access rules) and logs that as a successful login. We do this because it is a signature that the credentials for the account are known. Microsoft applies conditional access rules after it provides an authentication token. Microsoft then checks for conditional access rules before providing the access token. This sequence informs us that the credentials are known (including passing MFA if required) then blocks based on CA rules. This is a definite risk pattern that should inform the MSP that the account credentials are likely compromised and the user should be contacted to change their password, or at least confirm if the user was actually trying to use the account from a location blocked by CA and unapproved within SaaS Alerts whitelisting settings.
SaaS Alerts will subsequently pick up the failed login due to the CA rule being applied, so our logs will show the “successful” login, followed by the failed login due to CA rules.