Forum Discussion

KemalM's avatar
KemalM
Copper Contributor
May 07, 2020

Azure AD Sign-ins Logs

Hello,

 

When I look at Azure AD Sign-ins Logs, I see many different applications. Some of them are very clear, but not all. For example, what are 

 

dev-rel-auth-prod

AEO Frontend Production

AEO Frontend Production

Office365 Shell WCSS-Client

 

There are some explanations for the latter but it is not clear. For example what are URLs for these? Is there any explanatory document that presents a list of these kind of details?

 

Thanks,

 

Azure Active Directory (AAD)
  • JordyBlommaert's avatar
    JordyBlommaert
    Brass Contributor
    May 12, 2020

    Office 365 Shell WCSS-Client is the browser code that runs whenever a user navigates to (most) Office365 applications in the browser.  The shell, also known as the suite header, is shared code that loads as part of almost all Office365 workloads, including SharePoint, OneDrive, Outlook, Yammer, and many more

    The other apps can be apps that are registered in Azure AD. For example developers that are creating Apps in connection with Azure AD. Therefore they need to create an app registration. If you go to Azure Active Directory -> App Registrations you get an overview of all registrations that are connected towards your Azure AD tenant.

    • KemalM's avatar
      KemalM
      Copper Contributor
      May 12, 2020

      JordyBlommaert Thank you for your reply and explanations for Office365 Shell WCSS-Client. However, I'm definitely disagree with other comment. I have applications in my sign-in logs like:

       

      ACOM Azure Website

      AEO Frontend Production

      dev-rel-auth-prod

       

      which are not listed in Applications list in the portal. There is also AIRS application which is only listed among applications, but there is no any other explanation. So, I am trying to learn what those applications are and what they are used for.

       

      Thx,

       

       

      • JordyBlommaert's avatar
        JordyBlommaert
        Brass Contributor
        May 13, 2020
        Do you see those sign-in logs towards a lot of users? Or only specific users? I think it's not a generic application but a custom developed one.
    • Betty Stolwyk's avatar
      Betty Stolwyk
      Brass Contributor
      May 12, 2020

      JordyBlommaert Would you or anybody know what the application "vortex [wsfed enabled]" is?  It is not a registered application in our tenant.  It has popped up for a couple of our users but they do not know what that is or what they did to cause that sign-in activity.  All the other sign-in information is as expected (IP address, location, browser, OS)

       

      Here is a sample entry from the Azure Active Directory Sign-In log:

      Application: Vortex [wsfed enabled]
      Resource: Windows Azure Active Directory
      IP address: xx.xxx.xxx.xx
      Location: xxxxxx, xx US
      Status: Interrupted
      Sign-in error code: 16000
      Failure reason: Other
      Client app: Unknown
      Device ID:
      Browser: Chrome 81.0.4044
      Operating System: Windows 10
      Join Type:
      MFA result:
      Token issuer type: Azure AD
      Conditional access: Not Applied
       
      Multiple timestamps very close together.  
       
      2020-05-02T01:38:39.466094Z
      2020-05-02T01:38:11.9168794Z
      2020-05-02T01:38:11.622332Z
      2020-05-02T01:38:10.9504493Z
      2020-05-02T01:38:09.696237Z
      2020-05-02T01:37:30.4821975Z
      2020-05-02T01:37:30.247593Z
      2020-05-02T01:37:29.7603399Z
       
      All other information was the same for each timestamp.

       

  • Alex Carlock's avatar
    Alex Carlock
    Iron Contributor
    May 22, 2020

    I'm also seeing a lot of failures for "dev-rel-auth-prod" and would like to know what it is.  The failures always have Sign-in error code 500581 (Session information is not sufficient for single-sign-on on V2 with prompt=none to verify if MSA account.).  Sometimes they're almost immediately followed by a Success.