Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure AD Sign-ins Logs

Copper Contributor

Hello,

 

When I look at Azure AD Sign-ins Logs, I see many different applications. Some of them are very clear, but not all. For example, what are 

 

dev-rel-auth-prod

AEO Frontend Production

AEO Frontend Production

Office365 Shell WCSS-Client

 

There are some explanations for the latter but it is not clear. For example what are URLs for these? Is there any explanatory document that presents a list of these kind of details?

 

Thanks,

 

11 Replies

Office 365 Shell WCSS-Client is the browser code that runs whenever a user navigates to (most) Office365 applications in the browser.  The shell, also known as the suite header, is shared code that loads as part of almost all Office365 workloads, including SharePoint, OneDrive, Outlook, Yammer, and many more

The other apps can be apps that are registered in Azure AD. For example developers that are creating Apps in connection with Azure AD. Therefore they need to create an app registration. If you go to Azure Active Directory -> App Registrations you get an overview of all registrations that are connected towards your Azure AD tenant.

@JordyBlommaert Would you or anybody know what the application "vortex [wsfed enabled]" is?  It is not a registered application in our tenant.  It has popped up for a couple of our users but they do not know what that is or what they did to cause that sign-in activity.  All the other sign-in information is as expected (IP address, location, browser, OS)

 

Here is a sample entry from the Azure Active Directory Sign-In log:

Application: Vortex [wsfed enabled]
Resource: Windows Azure Active Directory
IP address: xx.xxx.xxx.xx
Location: xxxxxx, xx US
Status: Interrupted
Sign-in error code: 16000
Failure reason: Other
Client app: Unknown
Device ID:
Browser: Chrome 81.0.4044
Operating System: Windows 10
Join Type:
MFA result:
Token issuer type: Azure AD
Conditional access: Not Applied
 
Multiple timestamps very close together.  
 
2020-05-02T01:38:39.466094Z
2020-05-02T01:38:11.9168794Z
2020-05-02T01:38:11.622332Z
2020-05-02T01:38:10.9504493Z
2020-05-02T01:38:09.696237Z
2020-05-02T01:37:30.4821975Z
2020-05-02T01:37:30.247593Z
2020-05-02T01:37:29.7603399Z
 
All other information was the same for each timestamp.

 

@JordyBlommaert Thank you for your reply and explanations for Office365 Shell WCSS-Client. However, I'm definitely disagree with other comment. I have applications in my sign-in logs like:

 

ACOM Azure Website

AEO Frontend Production

dev-rel-auth-prod

 

which are not listed in Applications list in the portal. There is also AIRS application which is only listed among applications, but there is no any other explanation. So, I am trying to learn what those applications are and what they are used for.

 

Thx,

 

 

@Betty Stolwyk Microsoft reported this as an internal error code and can be ignored. Reference Article https://github.com/MicrosoftDocs/azure-docs/issues/10766

Do you see those sign-in logs towards a lot of users? Or only specific users? I think it's not a generic application but a custom developed one.

@JordyBlommaert, I see those logs from my own sign-in logs and I don't have and am not using any specific or home made application.

I'm also seeing a lot of failures for "dev-rel-auth-prod" and would like to know what it is.  The failures always have Sign-in error code 500581 (Session information is not sufficient for single-sign-on on V2 with prompt=none to verify if MSA account.).  Sometimes they're almost immediately followed by a Success.

@KemalM 

 

I'm seeing unusual failed login attempts to the ACOM Azure Website application as well.  Was this question ever answered about what this application is?  I also don't see it in the Enterprise Applications listing.

Any update on this. Just came across a log saying I signed in using this Vortex app.

 

 

@dbernier -

 

These "suspicious" sign-ins to ACOM Azure Website were being generated by our users when they were going to standard websites like https://azure.microsoft.com and browsing general information but with silent logins their with accounts in our tenant.  Shared the finding with Premier and they were surprised but said there was nothing to be concerned with security-wise. 

 

Is there documentation for this anywhere? I am happy to rely on a test of hitting the site and seeing the log, but documentation would be best.