Aug 14 2017 11:38 AM
How on Earth does failed login attempt auditing for Office 365 not come standard. If i would have known that this was not included in the E1 I would have never purchased it. Like Microsoft always likes to do, suck them in and then suck them dry. A critical component to any online presents is finding out if you are being attacked, the only way to know is if you can audit those failed login attempts to see if somone is trying to guess your account and password. Critical YES. Oh wait it is possible but only if you have the premium feature. Does anyone else not think that this could be a critical issue in having an online presents, or should have been told about this ahead of time. Sorry for my rant but little frustrated now to have to feed the pig again.
Aug 14 2017 12:37 PM
Putting the vitriol aside, I do kind of agree that limiting the 'Signs-in activities' report for example to only customers with the Azure AD Premium license seems like a contradiction. It's something I brought up in this thread, kind of - Office 365 Fragmentation? What you do get for free are the following reports, which is still pretty good, while the more extensive reporting requires the better licencing - Azure Active Directory reporting:
From what I can gather the free reporting has got worse with the move to the new portal with for example the Sign-ins after multiple failures report set to be retired.
Aug 14 2017 02:34 PM
Aug 15 2017 03:00 AM - edited Aug 15 2017 03:07 AM
I can understand where you are coming from, it would be nice if more security reports came as standard, for exactly the reasons you have pointed out. Saying that make sure you sign up for the free Azure AD reports I mentioned, which is something - Reports in the Office 365 Security & Compliance Center.
Aug 15 2017 04:15 AM
Office 365 is a commercial service so it's not really surprising that Microsoft has several levels of service that you need to pay for. It's the same in the on-premises world. For instance, Exchange 2016 comes in a standard and an enterprise edition. If you are happy with five mailbox databases, you can pay less and go with the standard edition. If you need to run more, you need to pay more and run the enterprise edition. In other words, you decide what functionality you need and then you know what you have to pay for.
Coming back to Office 365 auditing, the events for failed logins are captured by Azure AD and could be processed for inclusion in the audit data mart. However, that is not the case and I think that someone decided that the more appropriate place for this kind of activity to be monitored is the Azure AD portal. In some ways, it makes sense because the Azure AD portal is where security comes together for Azure applications. I can see a good case to be argued for failed login events to show up in the Office 365 audit log too (especially as successful logins are often captured by apps like Teams). If you want to make a case for this to happen, why not create an request in User Voice? You'll probably get a better response there than you will from sounding off here.