Office 365 Audit Log Search - Understanding Properties & values

Dear All,

Can someone help me in understanding the properties and values in Office 365 Audit log search,

Searching for logs related to exchange do not return any value for any user. But when I search for all activities , it returns values with following properties,

1. Client IP - Understood

2. OPerations : Either with UserLoggedIN/UserloggedFAIL/ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken

May I know the difference between UserloggedIN & ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken ?

I see both the above operations from same client IP listed in results.

Workload is AzureActiveDirectory.

Also see some random IPs from Europe with ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken & Success. Are they Microsoft cloud IPs used by system?


Question Info

Last updated August 28, 2019 Views 2,476 Applies to:

Hi Sat-d1b,

Thanks for the updates.

Based on my test result, the logged in activity for my ADFS synced user shows only "UserloggedIn". You mentioned that you see both the types for the same user in the logs, regarding "If the user is synced using only ADFS, is it still possible to show "UserloggedIn" operation for this user in logs instead of the other type", it depends because this kind of behavior is not under our control. If you don't mind, you can ignore this record because it doesn't cause any negative effects.


1 person was helped by this reply


Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.