Office 365 Auditing

Office 365 is a commercial service so it's not really surprising that Microsoft has several levels of service that you need to pay for. It's the same in the on-premises world. For instance, Exchange 2016 comes in a standard and an enterprise edition. If you are happy with five mailbox databases, you can pay less and go with the standard edition. If you need to run more, you need to pay more and run the enterprise edition. In other words, you decide what functionality you need and then you know what you have to pay for.

Coming back to Office 365 auditing, the events for failed logins are captured by Azure AD and could be processed for inclusion in the audit data mart. However, that is not the case and I think that someone decided that the more appropriate place for this kind of activity to be monitored is the Azure AD portal. In some ways, it makes sense because the Azure AD portal is where security comes together for Azure applications. I can see a good case to be argued for failed login events to show up in the Office 365 audit log too (especially as successful logins are often captured by apps like Teams). If you want to make a case for this to happen, why not create an request in User Voice? You'll probably get a better response there than you will from sounding off here.