Forum Discussion

David Levine's avatar
David Levine
Brass Contributor
Feb 15, 2017

Office365 Audit Log Information

Hi all,

So, I was pulled into a session with counsel and a foresics persion today to discuss some stuff. I came away windering if there was an easy way to "show me every time that <user> logged in to an Office365 service, where the login originated (ip address?), and form what type of device (domain joined?)"...

 

I see an event like "PasswordLogonInitialAuthUsingPassword" which shows some basic info, including the client IP address, but I don't see anything about the client device itself. Is there anything like this available today or is there anything being considered for future implementation?

 

Thanks!

  • If you mean the Azure AD logs in the SCC, it depends on the workload, for example "Mailbox login" events should give you the client information as well. If you take a look at the logs from the Azure Portal (Classic portal -> Azure AD -> select user -> Activity log) it includes the client information for more types of logins.

     

    Are you looking only for auditing the client used or also impose some type of restrictions?

    • David Levine's avatar
      David Levine
      Brass Contributor

      Hi Vasil,

      Yes - I am currently using the Office365 Security & Compliance portal (Search & Investigation --> Audit Log Search).

      I am only trying to gain insight at the moment - trying to see when a user logged in and accessed and Office365 services, and from where, on what device... the most interesting information would be to see when the user logged in from a non-company issued device, like a personal tablet or home computer.

       

      I didn't realize that I could look at AAD information form the Classic Azure portal as well... I just logged in there and it looks like I can't view any user activity from before today... right now specifically... which is strange...

       

      I am not looking to impose any restrictions though...

       

      Thanks! 

Resources