Forum Discussion
Microsoft Operator?
Hi all,
We recently had an alert raised in Azure Sentinel about "Rare and potentially high-risk Office operations".
When checking the events that triggered the alert. I saw in the "AccountCustomEntity" and "Userkey" field: Microsoft Operator
The account name does make it assumable that is activity regarding Microsoft Support perform actions. But we do not have any open cases....
This is not an account that has been made in the tenant, nor can I find any documentation that states the existence or usage of a Microsoft Operator account.
I have checked:
- Azure AD (audit & sign in logs)
- Exchange audit logs
- MCAS
Even when filtering on the IP address that has been used I can't find any hits.
FYI: the IP address is not linked to Microsoft Datacenter.
Is this indeed a official Microsoft support account and explain where we can the original logs?
Kind Regards
Louis
Would someone have raised an O365 request?
2 Replies
- The people i reached out to did not know of O365 request. But the documentation and logs do seem to indicate this is what happened. Thanks @Clive Watson
Would someone have raised an O365 request?
