Home

Audit feed API returns user logged in message for removed user

%3CLINGO-SUB%20id%3D%22lingo-sub-176859%22%20slang%3D%22en-US%22%3EAudit%20feed%20API%20returns%20user%20logged%20in%20message%20for%20removed%20user%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-176859%22%20slang%3D%22en-US%22%3E%3CP%3EI%20found%20incorrect%20message%20in%20Audit%20log%20about%20user%20log%20in%26nbsp%3Bof%20removed%20user%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%7B%0A%22Operation%22%3A%20%22UserLoggedIn%22%2C%0A%22ResultStatus%22%3A%20%22Succeeded%22%2C%0A%22LogonError%22%3A%20%22UserAccountNotFound%22%0A%7D%3C%2FPRE%3E%0A%3CP%3ECan%20someone%20clarify%20why%20we%20have%20%22LogonError%22%26nbsp%3Band%26nbsp%3Bresult%20status%20%22Succeeded%22%3F%20Is%20this%20correct%20log%20message%20in%20audit%20log%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-193818%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20feed%20API%20returns%20user%20logged%20in%20message%20for%20removed%20user%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-193818%22%20slang%3D%22en-US%22%3E%3CP%3EUpdate%20from%20Microsoft%3A%26nbsp%3BUpon%20working%20with%20engineering%20team%20%2C%20we%20have%20identified%20that%20this%20is%20a%20known%20issue%20where%20%E2%80%9CUserAccountNotFound%E2%80%99%20shows%20up%20with%20%E2%80%98ResultStatus%3ASucceeded%E2%80%9D%20.%20They%20are%20aware%20of%20this%20issue%20and%20are%20working%20to%20getting%20this%20fixed%20in%20the%20future.%20This%20should%20not%20be%20considered%20a%20security%20breach%20that%20that%20account%20logged%20in%20to%20the%20mailbox.%20It%20is%20simply%20that%20when%20Azure%20AD%20Workload%20sends%20the%20audit%20log%20to%20the%20Unified%20Audit%20log%20pipeline%2C%20the%20data%20is%20not%20mapped%20correctly%20causing%20the%20%E2%80%98ResultStatus%E2%80%99%20field%20to%20show%20an%20incorrect%20value.%20Hope%20that%20clears%20your%20concerns%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187382%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20feed%20API%20returns%20user%20logged%20in%20message%20for%20removed%20user%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187382%22%20slang%3D%22en-US%22%3E%3CP%3EI%20noticed%20the%20same%20events%20and%20got%20this%20response%20from%20a%20Microsoft%20Support%20Escalation%20Engineer%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%22My%20name%20is%20Taylor%20********%20and%20I%20am%20with%20the%20office%20365%20Authentication%20team.%20I%20see%20that%20there%20was%20a%20question%20on%20the%20Unified%20audit%20logs%20regarding%20unknown%20users%20being%20processed%20and%20showing%20Success%20status.%20So%2C%20what%20this%20means%20is%20that%20Azure%20AD%20was%20able%20to%20successfully%20take%20the%20attempt%20and%20process%20it.%20Then%20the%20login%20attempt%20failed%20to%20authenticate%20due%20to%20the%20user%20account%20not%20found.%20This%20is%20by%20design%20and%20purely%20means%20that%20an%20attempt%20was%20made%20and%20was%20processed.%3C%2FEM%3E%22%3C%2FP%3E%3C%2FLINGO-BODY%3E
Yevhen Kryvun
New Contributor

I found incorrect message in Audit log about user log in of removed user:

 

{
"Operation": "UserLoggedIn",
"ResultStatus": "Succeeded",
"LogonError": "UserAccountNotFound"
}

Can someone clarify why we have "LogonError" and result status "Succeeded"? Is this correct log message in audit log?

 

2 Replies

I noticed the same events and got this response from a Microsoft Support Escalation Engineer:

 

"My name is Taylor ******** and I am with the office 365 Authentication team. I see that there was a question on the Unified audit logs regarding unknown users being processed and showing Success status. So, what this means is that Azure AD was able to successfully take the attempt and process it. Then the login attempt failed to authenticate due to the user account not found. This is by design and purely means that an attempt was made and was processed."

Update from Microsoft: Upon working with engineering team , we have identified that this is a known issue where “UserAccountNotFound’ shows up with ‘ResultStatus:Succeeded” . They are aware of this issue and are working to getting this fixed in the future. This should not be considered a security breach that that account logged in to the mailbox. It is simply that when Azure AD Workload sends the audit log to the Unified Audit log pipeline, the data is not mapped correctly causing the ‘ResultStatus’ field to show an incorrect value. Hope that clears your concerns

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies