I've noticed some audit logs in my O365 environment where the IP address showing these was recorded as 220.127.116.11 which I confirmed belongs to Microsoft. Can anyone shed light on why O365 Security & Compliance Audit Log would show such a device trying
to authenticate with the client's domain specific username?
I imagine it has something to do with ADFS authentication / routing to Microsoft but have not seen much documentation online about Activity "ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken" and would just like to clarify with someone who may have seen
it before, or anyone from MS.
This thread is locked. You can follow the question or vote as helpful, but you cannot reply to this thread.
Yes, you are right. The log "ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken" means the user tried to log on with credential "ForeignRealmIndex" and the authentication
method is an "ADFSFederatedToken".