SOLVED

What does 'log on' mean in the Cloud App Security portal?

%3CLINGO-SUB%20id%3D%22lingo-sub-196112%22%20slang%3D%22en-US%22%3EWhat%20does%20'log%20on'%20mean%20in%20the%20Cloud%20App%20Security%20portal%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-196112%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20seeing%20both%20licenced%20and%20non-licenced%20Office%20365%20users%20'logging%20on'%20from%20other%20countries%20in%20the%20Cloud%20App%20Security%20portal.%20We%20know%20those%20users%20are%20not%20in%20those%20countries.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20'Log%20on'%20mean%20they%20%3CSTRONG%3Eactually%3C%2FSTRONG%3E%20logged%20on%2C%20or%20%3CSTRONG%3Eattempted%3C%2FSTRONG%3E%20to%20log%20on%3F%26nbsp%3BHow%20to%20tell%20the%20difference%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-196112%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Security%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-196631%22%20slang%3D%22en-US%22%3ERe%3A%20What%20does%20'log%20on'%20mean%20in%20the%20Cloud%20App%20Security%20portal%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-196631%22%20slang%3D%22en-US%22%3E%3CP%3ETime%20to%20open%20a%20support%20case%20I%20guess%2C%20they%20should%20be%20able%20to%20provide%20you%20more%20details.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-196467%22%20slang%3D%22en-US%22%3ERe%3A%20What%20does%20'log%20on'%20mean%20in%20the%20Cloud%20App%20Security%20portal%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-196467%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Vasil%2C%20appreciate%20the%20quick%20reply.%20After%20I%20received%20your%20response%20I%20noticed%20I%20could%20search%20by%20failed%20or%20successful%20logins%20as%20well.%20Some%20of%20our%20successful%20logons%20are%20in%20countries%20where%20we%20know%20our%20employees%20simply%20cannot%20have%20been%20or%20used%20a%20VPN%20to.%20But%20more%20curiously%2C%20this%20includes%20employees%20who%20don't%20even%20have%20an%20O365%20licence%20so%20something%20odd%20is%20happening%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-196122%22%20slang%3D%22en-US%22%3ERe%3A%20What%20does%20'log%20on'%20mean%20in%20the%20Cloud%20App%20Security%20portal%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-196122%22%20slang%3D%22en-US%22%3E%3CP%3ELog%20on%20should%20be%20successful%20ones%2C%20failed%20ones%20are%20marked%20differently.%20For%20example%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22AdDrawerTableCell-value%22%3E%3CSPAN%20class%3D%22activity-value-description-text%22%3EFailed%20log%20on%20(Failure%20message%3A%20Strong%20Authentication%20(second%20factor)%20is%20required)%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22AdDrawerTableCell-value%22%3E%3CSPAN%20class%3D%22activity-value-description-text%22%3EKeep%20in%20mind%20that%20you%20might%20see%20some%20internal%2Fdatacenter%20IPs%20in%20the%20list.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-916746%22%20slang%3D%22en-US%22%3ERe%3A%20What%20does%20'log%20on'%20mean%20in%20the%20Cloud%20App%20Security%20portal%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-916746%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BThis%20is%20an%20old%20comment%20but%20this%20post%20is%20the%20only%20one%20I've%20seen%20in%20my%20research%20in%20reference%20to%20this%20log.%20This%20log%20is%20actually%20a%20successful%20login%20%3CSTRONG%3Ebut%20the%20entity%20in%20question%20did%20not%20enter%20the%20MFA%20code%2C%20so%20it%20gets%20logged%20as%20%22Failed%20log%20on%20(Failure%20message%3A%20Strong%20Authentication%20(second%20factor)%20is%20required%22.%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tested%20this%20with%20my%20own%20sign%20in%20by%20signing%20in%20successfully%2C%20I%20received%20the%20MFA%20code%20but%20never%20entered%20it%20and%20was%20able%20to%20reproduce%20the%20same%20exact%20log.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20log%20combined%20with%20irregular%20behavior%20(different%20IP%2C%20country%20etc)%20would%20raise%20in%20alarm%20for%20me.%20Just%20an%20FYI.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

We are seeing both licenced and non-licenced Office 365 users 'logging on' from other countries in the Cloud App Security portal. We know those users are not in those countries.

 

Does 'Log on' mean they actually logged on, or attempted to log on? How to tell the difference?

4 Replies
Best Response confirmed by Andrew Warland (Regular Contributor)
Solution

Log on should be successful ones, failed ones are marked differently. For example:

 

Failed log on (Failure message: Strong Authentication (second factor) is required)

 

Keep in mind that you might see some internal/datacenter IPs in the list.

Thanks Vasil, appreciate the quick reply. After I received your response I noticed I could search by failed or successful logins as well. Some of our successful logons are in countries where we know our employees simply cannot have been or used a VPN to. But more curiously, this includes employees who don't even have an O365 licence so something odd is happening here.

Time to open a support case I guess, they should be able to provide you more details.

@Vasil Michev This is an old comment but this post is the only one I've seen in my research in reference to this log. This log is actually a successful login but the entity in question did not enter the MFA code, so it gets logged as "Failed log on (Failure message: Strong Authentication (second factor) is required". 

 

 

I tested this with my own sign in by signing in successfully, I received the MFA code but never entered it and was able to reproduce the same exact log. 

 

This log combined with irregular behavior (different IP, country etc) would raise in alarm for me. Just an FYI.