Mar 28 2018 03:37 AM
I found incorrect message in Audit log about user log in of removed user:
{ "Operation": "UserLoggedIn", "ResultStatus": "Succeeded", "LogonError": "UserAccountNotFound" }
Can someone clarify why we have "LogonError" and result status "Succeeded"? Is this correct log message in audit log?
Apr 26 2018 05:21 AM
I noticed the same events and got this response from a Microsoft Support Escalation Engineer:
"My name is Taylor ******** and I am with the office 365 Authentication team. I see that there was a question on the Unified audit logs regarding unknown users being processed and showing Success status. So, what this means is that Azure AD was able to successfully take the attempt and process it. Then the login attempt failed to authenticate due to the user account not found. This is by design and purely means that an attempt was made and was processed."
May 15 2018 06:31 AM
Update from Microsoft: Upon working with engineering team , we have identified that this is a known issue where “UserAccountNotFound’ shows up with ‘ResultStatus:Succeeded” . They are aware of this issue and are working to getting this fixed in the future. This should not be considered a security breach that that account logged in to the mailbox. It is simply that when Azure AD Workload sends the audit log to the Unified Audit log pipeline, the data is not mapped correctly causing the ‘ResultStatus’ field to show an incorrect value. Hope that clears your concerns
Dec 03 2019 06:00 AM
@Mark Winter Any luck on correcting the audit log message to say the logon failed?
Thanks