drop entra id sign-in log · parse conditional access policy decisions
flags report-only policy hits · block overridden by exclusion · risky sign-in with ca notApplied gaps
heuristic screener · export schema varies — field mapping is best-effort · not definitive proof