Forum Discussion
Azure Activity Log missing legacy auth failed attempts or account lockouts for AAD Powershell
- Update 12/11/2017 - Microsoft Premier Support said this is working "by design" and will either provide a public facing article that states this and/or will open a "Design Change Request" to log these legacy authentication failure events.
I seem to have some in the logs, they are marked as "Office 365" for the application name though.
- Thanks. can you confirm your events are from Azure Active Directory Powershell Module version 1.0 using Legacy Authentication? How long is the delay before you see them in the logs? To be clear we are not referring to Exchange legacy authentication... it is speciic to Azure AD PowerShell using legacy auth.
So the V2 module should be "Azure Active Directory PowerShell", and it has the "MFA Required" set to true. Apart from that, I have been using the old MSOnline module, which gets reflected as just "Office 365" and as I'm using the -credentials parameter with it, it's definitely legacy auth ("MFA requires" says false).
Not sure about the delay, but I do have some logins from today, so should be relatively fast.
interesting so far in two separate tenants we are not seeing v1 module legacy authentication attempts.
To confirm we are looking in the same place as you, are you going into Azure Active Directory > Activity > SIgn-Ins ?
When filtering on "Office 365" as the application and sign-in status Failure for the past 24 hours we don't see any events. And when we broaden the filter for all failures, we don't see any of the legacy auth failures. Again, we are seeing this auditing gap exist in two separate Azure AD tenants. I'm about to check a 3rd.