Microsoft Operator?

Question

Hi all,&nbsp;We recently had an alert raised in Azure Sentinel about "Rare and potentially high-risk Office operations".When checking the events that triggered the alert. I saw in the "AccountCustomEntity" and "Userkey" field:&nbsp;Microsoft Operator&nbsp;The account name does make it assumable that is activity regarding Microsoft Support perform actions. But we do not have any open cases....&nbsp;This is not an account that has been made in the tenant, nor can I find any documentation that states the existence or usage of a Microsoft Operator account.&nbsp;I have checked:Azure AD (audit &amp; sign in logs)Exchange audit logsMCASEven when filtering on the IP address that has been used I can't find any hits.&nbsp;FYI: the IP address&nbsp;is not linked to Microsoft Datacenter.&nbsp;Is this indeed a official Microsoft support account and explain where we can the original logs?&nbsp;Kind RegardsLouis

clivewatson · Accepted Answer

LouisMastelinck&nbsp;
&nbsp;
Would someone have raised an O365 request?
https://docs.microsoft.com/ro-ro/microsoft-365/compliance/customer-lockbox-requests?view=o365-worldwide#auditing-customer-lockbox-requests
&nbsp;
&nbsp;

Forum Discussion

Microsoft Operator?

Resources