Audit feed API returns user logged in message for removed user

New Contributor

I found incorrect message in Audit log about user log in of removed user:

 

{
"Operation": "UserLoggedIn",
"ResultStatus": "Succeeded",
"LogonError": "UserAccountNotFound"
}

Can someone clarify why we have "LogonError" and result status "Succeeded"? Is this correct log message in audit log?

 

3 Replies

I noticed the same events and got this response from a Microsoft Support Escalation Engineer:

 

"My name is Taylor ******** and I am with the office 365 Authentication team. I see that there was a question on the Unified audit logs regarding unknown users being processed and showing Success status. So, what this means is that Azure AD was able to successfully take the attempt and process it. Then the login attempt failed to authenticate due to the user account not found. This is by design and purely means that an attempt was made and was processed."

Update from Microsoft: Upon working with engineering team , we have identified that this is a known issue where “UserAccountNotFound’ shows up with ‘ResultStatus:Succeeded” . They are aware of this issue and are working to getting this fixed in the future. This should not be considered a security breach that that account logged in to the mailbox. It is simply that when Azure AD Workload sends the audit log to the Unified Audit log pipeline, the data is not mapped correctly causing the ‘ResultStatus’ field to show an incorrect value. Hope that clears your concerns

@Mark Winter Any luck on correcting the audit log message to say the logon failed?

Thanks