I've noticed some audit logs in my O365 environment where the IP address showing these was recorded as which I confirmed belongs to Microsoft. Can anyone shed light on why O365 Security & Compliance Audit Log would show such a device trying to authenticate with the client's domain specific username?

I imagine it has something to do with ADFS authentication / routing to Microsoft but have not seen much documentation online about Activity "ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken" and would just like to clarify with someone who may have seen it before, or anyone from MS. 

Question Info

Last updated September 17, 2019 Views 3,005 Applies to:

Hi Joshua,

Yes, you are right. The log "ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken" means the user tried to log on with credential "ForeignRealmIndex" and the authentication method is an "ADFSFederatedToken".

Here is a related article for your reference:



Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.