Microsoft Operator?

Brass Contributor

Hi all,


We recently had an alert raised in Azure Sentinel about "Rare and potentially high-risk Office operations".
When checking the events that triggered the alert. I saw in the "AccountCustomEntity" and "Userkey" field: Microsoft Operator


The account name does make it assumable that is activity regarding Microsoft Support perform actions. But we do not have any open cases.... 
2020-06-04 15_39_11-Logs.png

This is not an account that has been made in the tenant, nor can I find any documentation that states the existence or usage of a Microsoft Operator account. 

I have checked:

  • Azure AD (audit & sign in logs)
  • Exchange audit logs
  • MCAS

Even when filtering on the IP address that has been used I can't find any hits. 
FYI: the IP address is not linked to Microsoft Datacenter. 

Is this indeed a official Microsoft support account and explain where we can the original logs? 

Kind Regards


2 Replies
best response confirmed by LouisMastelinck (Brass Contributor)
The people i reached out to did not know of O365 request. But the documentation and logs do seem to indicate this is what happened. Thanks @Clive Watson
1 best response

Accepted Solutions
best response confirmed by LouisMastelinck (Brass Contributor)