SOLVED

Office365 Audit Log Information

Contributor

Hi all,

So, I was pulled into a session with counsel and a foresics persion today to discuss some stuff. I came away windering if there was an easy way to "show me every time that <user> logged in to an Office365 service, where the login originated (ip address?), and form what type of device (domain joined?)"...

 

I see an event like "PasswordLogonInitialAuthUsingPassword" which shows some basic info, including the client IP address, but I don't see anything about the client device itself. Is there anything like this available today or is there anything being considered for future implementation?

 

Thanks!

4 Replies

If you mean the Azure AD logs in the SCC, it depends on the workload, for example "Mailbox login" events should give you the client information as well. If you take a look at the logs from the Azure Portal (Classic portal -> Azure AD -> select user -> Activity log) it includes the client information for more types of logins.

 

Are you looking only for auditing the client used or also impose some type of restrictions?

Hi Vasil,

Yes - I am currently using the Office365 Security & Compliance portal (Search & Investigation --> Audit Log Search).

I am only trying to gain insight at the moment - trying to see when a user logged in and accessed and Office365 services, and from where, on what device... the most interesting information would be to see when the user logged in from a non-company issued device, like a personal tablet or home computer.

 

I didn't realize that I could look at AAD information form the Classic Azure portal as well... I just logged in there and it looks like I can't view any user activity from before today... right now specifically... which is strange...

 

I am not looking to impose any restrictions though...

 

Thanks! 

The reports were first available only as part of the Azure protal, they made it to the SCC later on (well some of them). I'm not sure why you are not able to see past events though, perhaps the Azure AD Premium requirements is in play...

 

Here's the documentation just in case: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-view-access-usage-reports#u...

best response confirmed by Deleted
Solution

download the log and take a look in the AuditData column, it has all kinds of extra data that does not show in the browser view.

 

Take a look at https://support.office.com/en-us/article/Detailed-properties-in-the-Office-365-audit-log-ce004100-9e... and https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-...