Can someone help me in understanding the properties and values in Office 365 Audit log search,
Searching for logs related to exchange do not return any value for any user. But when I search for all activities , it returns values with following properties,
1. Client IP - Understood
2. OPerations : Either with UserLoggedIN/UserloggedFAIL/ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken
May I know the difference between UserloggedIN & ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken ?
I see both the above operations from same client IP listed in results.
Workload is AzureActiveDirectory.
Also see some random IPs from Europe with ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken & Success. Are they Microsoft cloud IPs used by system?