Forum Discussion
Azure AD Sign-ins Logs
Hello,
When I look at Azure AD Sign-ins Logs, I see many different applications. Some of them are very clear, but not all. For example, what are
dev-rel-auth-prod
AEO Frontend Production
AEO Frontend Production
Office365 Shell WCSS-Client
There are some explanations for the latter but it is not clear. For example what are URLs for these? Is there any explanatory document that presents a list of these kind of details?
Thanks,
Office 365 Shell WCSS-Client is the browser code that runs whenever a user navigates to (most) Office365 applications in the browser. The shell, also known as the suite header, is shared code that loads as part of almost all Office365 workloads, including SharePoint, OneDrive, Outlook, Yammer, and many more
The other apps can be apps that are registered in Azure AD. For example developers that are creating Apps in connection with Azure AD. Therefore they need to create an app registration. If you go to Azure Active Directory -> App Registrations you get an overview of all registrations that are connected towards your Azure AD tenant.
JordyBlommaert Thank you for your reply and explanations for Office365 Shell WCSS-Client. However, I'm definitely disagree with other comment. I have applications in my sign-in logs like:
ACOM Azure Website
AEO Frontend Production
dev-rel-auth-prod
which are not listed in Applications list in the portal. There is also AIRS application which is only listed among applications, but there is no any other explanation. So, I am trying to learn what those applications are and what they are used for.
Thx,
- Do you see those sign-in logs towards a lot of users? Or only specific users? I think it's not a generic application but a custom developed one.
JordyBlommaert Would you or anybody know what the application "vortex [wsfed enabled]" is? It is not a registered application in our tenant. It has popped up for a couple of our users but they do not know what that is or what they did to cause that sign-in activity. All the other sign-in information is as expected (IP address, location, browser, OS)
Here is a sample entry from the Azure Active Directory Sign-In log:
Application: Vortex [wsfed enabled]Resource: Windows Azure Active DirectoryIP address: xx.xxx.xxx.xxLocation: xxxxxx, xx USStatus: InterruptedSign-in error code: 16000Failure reason: OtherClient app: UnknownDevice ID:Browser: Chrome 81.0.4044Operating System: Windows 10Join Type:MFA result:Token issuer type: Azure ADConditional access: Not AppliedMultiple timestamps very close together.2020-05-02T01:38:39.466094Z
2020-05-02T01:38:11.9168794Z
2020-05-02T01:38:11.622332Z
2020-05-02T01:38:10.9504493Z
2020-05-02T01:38:09.696237Z
2020-05-02T01:37:30.4821975Z
2020-05-02T01:37:30.247593Z
2020-05-02T01:37:29.7603399ZAll other information was the same for each timestamp.Betty Stolwyk Microsoft reported this as an internal error code and can be ignored. Reference Article https://github.com/MicrosoftDocs/azure-docs/issues/10766
I'm also seeing a lot of failures for "dev-rel-auth-prod" and would like to know what it is. The failures always have Sign-in error code 500581 (Session information is not sufficient for single-sign-on on V2 with prompt=none to verify if MSA account.). Sometimes they're almost immediately followed by a Success.
