Problem 

You need to prevent specific users from accessing particular applications based on criteria. For example, you may want users to be able to access Drive only from a particular IP address.

Context aware access (CAA) has monitor mode, letting you turn on the CAA to see the impact before taking it live.

In this example, we'll investigate who is using the Originality reports and the usage occurrences. 

Steps

1. Open the Investigation Tool.
   Security > Security center > Investigation tool
2. Search for or select Context Aware Access log events from the drop-down as your data source.
3. Click Search. The results appear at the bottom of the page. Here, the results are a list of all context-aware access. 
   
   The CAAs that are in Monitor mode contain Monitor mode in the event name.
   
4. If you are happy with the investigation you built and want to retain it, click Save Investigation, located on the right.

See our full list of Investigation tool recipes.