May 21 2018
- last edited on
Feb 19 2021
We are seeing both licenced and non-licenced Office 365 users 'logging on' from other countries in the Cloud App Security portal. We know those users are not in those countries.
Does 'Log on' mean they actually logged on, or attempted to log on? How to tell the difference?
May 21 2018 11:46 PMSolution
Log on should be successful ones, failed ones are marked differently. For example:
Failed log on (Failure message: Strong Authentication (second factor) is required)
Keep in mind that you might see some internal/datacenter IPs in the list.
May 22 2018 01:26 PM
Thanks Vasil, appreciate the quick reply. After I received your response I noticed I could search by failed or successful logins as well. Some of our successful logons are in countries where we know our employees simply cannot have been or used a VPN to. But more curiously, this includes employees who don't even have an O365 licence so something odd is happening here.
May 22 2018 11:40 PM
Time to open a support case I guess, they should be able to provide you more details.
Oct 16 2019 07:55 AM
@Vasil Michev This is an old comment but this post is the only one I've seen in my research in reference to this log. This log is actually a successful login but the entity in question did not enter the MFA code, so it gets logged as "Failed log on (Failure message: Strong Authentication (second factor) is required".
I tested this with my own sign in by signing in successfully, I received the MFA code but never entered it and was able to reproduce the same exact log.
This log combined with irregular behavior (different IP, country etc) would raise in alarm for me. Just an FYI.