Forum Discussion
High Volume Email accounts and sign-in logs
When looking at the Entra ID sign-in logs for a High Volume Email account I noticed that it seems that after the first succesful login from a certain public IP subsequent logins are no longer logged that day (or at least a number of hours after).
This makes it cumbersome to test how Conditional Access affect the login via the sign-in logs.
Has anyone else experienced this?
3 Replies
GageSterlingThank you, but I'm not looking for the login history from Exchange Online. I'm looking for more recent entries in the Entra ID Sign-in logs of the HVE account after the first successful login of the day.
1. Quickly get the login log (PowerShell command)
powershell
# Get the last 100 login logs for a given mailbox (adjust the number as needed)
Get-MailboxStatistics -Identity “email address removed for privacy reasons” | Get-MailboxLoginStatistics -ResultSize 100
2.# Filter abnormal logins (e.g. non-company IP segments)
$startDate = (Get-Date).AddDays(-7)
Get-MailboxLoginStatistics -Identity “email address removed for privacy reasons” |
Where { $_.ClientIPAddress -notlike “192.168.*” -and $_.LoginTime -gt $startDate }
3. Automated monitoring scripts (run daily)
powershell
# Save to log file
$logPath = “C:\Logs\MailboxLoginAudit_$(Get-Date -Format yyyyMMdd).csv”
Get-Mailbox -ResultSize Unlimited |
Where { $_.MessageCount -gt 10000 } |
Get-MailboxLoginStatistics |
Export-Csv $logPath -NoTypeInformation
4. Key configuration adjustments
Extend log retention time:
powershell
# Set audit log retention to 90 days (default 30 days)
Set-AdminAuditLogConfig -AuditLogAgeLimit 90
4. Enable enhanced logging:
powershell
Set-Mailbox -Identity “email address removed for privacy reasons” -AuditEnabled $true -AuditLogAgeLimit 180
5. Real-time alert settings
powershell
# Create an abnormal login alert rule
New-TransportRule -Name “SuspiciousLoginAlert” `
-AnyOfRecipientAddressContains “email address removed for privacy reasons” `
-ExceptIfClientIPAddressesMatch “192.168.0.0/16” `
-NotifySender “SecurityAlert”
Emergency handling
5. Lock the suspicious account immediately:
powershell
Set-Mailbox -Identity “email address removed for privacy reasons” -AccountDisabled $true
6. Quickly export evidence:
powershell
Get-MailboxLoginStatistics -Identity “email address removed for privacy reasons” -ResultSize Unlimited |
Select LoginTime,ClientIPAddress,ApplicationId |
Export-Csv “C:\Investigation\LoginRecords.csv” -NoTypeInformation
7. Best Practices
Archive commands on a regular basis (run monthly)
powershell
# Archive last month's logs to a dedicated mailbox
$archiveMB = “email address removed for privacy reasons”
Search-Mailbox -Identity $archiveMB -SearchQuery “kind:email” -TargetMailbox $archiveMB -TargetFolder “Logs_$(Get-Date -Format yyyyMM)” -DeleteContentHave you tried to Modify the Conditional Access policy briefly (e.g., require MFA), which forces re-evaluation and logging?
Best,
Ahmed Masoud
Best,
Ahmed Masoud
