Reporting tools to measure MFA activations or simply OWA access?

Brass Contributor

Greetings,

 

So I was wondering if there are any tools or scripts (if any) for showing numbers of users accessing the mailbox from outside an organization's internal network. Our organization has Office 365 and because there's the online platform with mail app, we wanted to know if it was possible to see how many people access their emails from outside the private network (from their homes or other places).

 

When they do that, the security is done in a way that it calls to their cellphones or phone app in order to authenticate with MFA.

 

I'm thinking along the lines of measuring how many MFAs are being activated or simply how many people read from the OWA or something.

 

Thanks in advanced!

5 Replies
I would recommend you to review the following:
(1) Usage reports you hace in Office 365 that you probably have already reviewed and considered these reports are not what you are looking for
(2) Power BI Adoption Content Pack: You have more information there about Office 365 usage, so explore the default reports and the underlying model just to see if they fit your requirements or not
(3) Compliance & Security Center and the Query search options you have on the Activity Log
(4) Azure AD built-in reports

In case these options are not what you are looking for then I see the following options:
(1) Depending on your Office 365 Plan, evaluate if any of the Office 365 AddOns to monitor this activity are what you are looking for. For instance, ASM could be a great AddOn for you
(2) Third party solutions
(3) Build your won solution on top of Office 365 APIs

@Juan Carlos González Martín wrote:
I would recommend you to review the following:
(1) Usage reports you hace in Office 365 that you probably have already reviewed and considered these reports are not what you are looking for
(2) Power BI Adoption Content Pack: You have more information there about Office 365 usage, so explore the default reports and the underlying model just to see if they fit your requirements or not
(3) Compliance & Security Center and the Query search options you have on the Activity Log
(4) Azure AD built-in reports

In case these options are not what you are looking for then I see the following options:
(1) Depending on your Office 365 Plan, evaluate if any of the Office 365 AddOns to monitor this activity are what you are looking for. For instance, ASM could be a great AddOn for you
(2) Third party solutions
(3) Build your won solution on top of Office 365 APIs

(1) As you mentioned, I'm using this report, but there isn't enough information to determine exactly how many people are accessing their mails from outside company network. It just shows devices from which users access it from.

 

(2) Already have the new PowerBi adoption content pack, but it only seems to show the devices users access from and not if they are using from outside company network. 

 

(3) That I've yet to check

 

(4) Also would have to check

 

As for the addon ASM, I will look into it and give a reply as soon as I test it out.

 

Thanks!

Don't waste your money on ASM, you can get the same level of detail from the Audit logs available in the SCC (or the Azure AD ones).

As @Vasil Michev mentioned, using O365 Audit logs is the better option. Check for "User signed in to mailbox" activity, which shows the IP address. Also to get the reports, you should enable the auditing in your mailbox as below.

 

Get-Mailbox -ResultSize Unlimited| Set-Mailbox -AuditEnabled $true -AuditOwner Create,HardDelete,Move,MoveToDeletedItems,SoftDelete,Update,MailboxLogin

 

user login.png

If you filter out mailbox login activities which don't fall under your corporate IP range then you can easily get your expected result. But SCC doesn't provide an option to search based on IP range or multiple IP addresses.

 

I recommend you to try AdminDroid Reports. You can apply advanced filter capabilities and schedule a report as per your need. Try the online demo.

 

Note: You need to turn on mailbox auditing to get this activity in audit log search. Use the script below to enable mailbox login auditing.

 

Get-Mailbox -ResultSize Unlimited| Set-Mailbox -AuditEnabled $true -AuditOwner MailboxLogin