Forum Discussion
Office365 Audit Log Information
download the log and take a look in the AuditData column, it has all kinds of extra data that does not show in the browser view.
Take a look at https://support.office.com/en-us/article/Detailed-properties-in-the-Office-365-audit-log-ce004100-9e7f-443e-942b-9b04098fcfc3 and https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US#ID0EABAAA=Search_the_audit_log
If you mean the Azure AD logs in the SCC, it depends on the workload, for example "Mailbox login" events should give you the client information as well. If you take a look at the logs from the Azure Portal (Classic portal -> Azure AD -> select user -> Activity log) it includes the client information for more types of logins.
Are you looking only for auditing the client used or also impose some type of restrictions?
Hi Vasil,
Yes - I am currently using the Office365 Security & Compliance portal (Search & Investigation --> Audit Log Search).
I am only trying to gain insight at the moment - trying to see when a user logged in and accessed and Office365 services, and from where, on what device... the most interesting information would be to see when the user logged in from a non-company issued device, like a personal tablet or home computer.
I didn't realize that I could look at AAD information form the Classic Azure portal as well... I just logged in there and it looks like I can't view any user activity from before today... right now specifically... which is strange...
I am not looking to impose any restrictions though...
Thanks!
download the log and take a look in the AuditData column, it has all kinds of extra data that does not show in the browser view.
Take a look at https://support.office.com/en-us/article/Detailed-properties-in-the-Office-365-audit-log-ce004100-9e7f-443e-942b-9b04098fcfc3 and https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US#ID0EABAAA=Search_the_audit_log
The reports were first available only as part of the Azure protal, they made it to the SCC later on (well some of them). I'm not sure why you are not able to see past events though, perhaps the Azure AD Premium requirements is in play...
Here's the documentation just in case: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-view-access-usage-reports#user-specific-reports
