Hello,

I have a single Hybrid Exchange 2016 set up with ADFS 2016 protecting it with Azure MFA.

I have a user account who is continuously getting locked out of their account due to password failures from the Exchange server (DC is reporting the source of the failure as the Exchange Server).

I am trying to track down the source of the password failure, but I cannot find the IP address. What logs do I need to be looking at on what server that will give me the IP address?

Also, The password failures are not showing up as ADFS failures, I am thinking it is probably an activesync connection causing the problem.

Thanks