Forum Discussion

KemalM's avatar
KemalM
Copper Contributor
May 07, 2020

Azure AD Sign-ins Logs

Hello,   When I look at Azure AD Sign-ins Logs, I see many different applications. Some of them are very clear, but not all. For example, what are    dev-rel-auth-prod AEO Frontend Production A...
Azure Active Directory (AAD)
JordyBlommaert's avatar
JordyBlommaert
Brass Contributor
May 12, 2020

Office 365 Shell WCSS-Client is the browser code that runs whenever a user navigates to (most) Office365 applications in the browser.  The shell, also known as the suite header, is shared code that loads as part of almost all Office365 workloads, including SharePoint, OneDrive, Outlook, Yammer, and many more

The other apps can be apps that are registered in Azure AD. For example developers that are creating Apps in connection with Azure AD. Therefore they need to create an app registration. If you go to Azure Active Directory -> App Registrations you get an overview of all registrations that are connected towards your Azure AD tenant.

  • KemalM's avatar
    KemalM
    Copper Contributor
    May 12, 2020

    JordyBlommaert Thank you for your reply and explanations for Office365 Shell WCSS-Client. However, I'm definitely disagree with other comment. I have applications in my sign-in logs like:

     

    ACOM Azure Website

    AEO Frontend Production

    dev-rel-auth-prod

     

    which are not listed in Applications list in the portal. There is also AIRS application which is only listed among applications, but there is no any other explanation. So, I am trying to learn what those applications are and what they are used for.

     

    Thx,

     

     

    • JordyBlommaert's avatar
      JordyBlommaert
      Brass Contributor
      May 13, 2020
      Do you see those sign-in logs towards a lot of users? Or only specific users? I think it's not a generic application but a custom developed one.
      • KemalM's avatar
        KemalM
        Copper Contributor
        May 13, 2020

        JordyBlommaert, I see those logs from my own sign-in logs and I don't have and am not using any specific or home made application.

    • Jeff_Olive's avatar
      Jeff_Olive
      Copper Contributor
      Jun 26, 2020

      KemalM 

       

      I'm seeing unusual failed login attempts to the ACOM Azure Website application as well.  Was this question ever answered about what this application is?  I also don't see it in the Enterprise Applications listing.

      • dbernier's avatar
        dbernier
        Copper Contributor
        Jan 13, 2021

        Any update on this. Just came across a log saying I signed in using this Vortex app.

         

         

  • Betty Stolwyk's avatar
    Betty Stolwyk
    Brass Contributor
    May 12, 2020

    JordyBlommaert Would you or anybody know what the application "vortex [wsfed enabled]" is?  It is not a registered application in our tenant.  It has popped up for a couple of our users but they do not know what that is or what they did to cause that sign-in activity.  All the other sign-in information is as expected (IP address, location, browser, OS)

     

    Here is a sample entry from the Azure Active Directory Sign-In log:

    Application: Vortex [wsfed enabled]
    Resource: Windows Azure Active Directory
    IP address: xx.xxx.xxx.xx
    Location: xxxxxx, xx US
    Status: Interrupted
    Sign-in error code: 16000
    Failure reason: Other
    Client app: Unknown
    Device ID:
    Browser: Chrome 81.0.4044
    Operating System: Windows 10
    Join Type:
    MFA result:
    Token issuer type: Azure AD
    Conditional access: Not Applied
     
    Multiple timestamps very close together.  
     
    2020-05-02T01:38:39.466094Z
    2020-05-02T01:38:11.9168794Z
    2020-05-02T01:38:11.622332Z
    2020-05-02T01:38:10.9504493Z
    2020-05-02T01:38:09.696237Z
    2020-05-02T01:37:30.4821975Z
    2020-05-02T01:37:30.247593Z
    2020-05-02T01:37:29.7603399Z
     
    All other information was the same for each timestamp.

     

Resources