ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken

I've noticed some audit logs in my O365 environment where the IP address showing these was recorded as 40.97.169.141 which I confirmed belongs to Microsoft. Can anyone shed light on why O365 Security & Compliance Audit Log would show such a device trying to authenticate with the client's domain specific username?

I imagine it has something to do with ADFS authentication / routing to Microsoft but have not seen much documentation online about Activity "ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken" and would just like to clarify with someone who may have seen it before, or anyone from MS. 
 

Question Info


Last updated July 5, 2019 Views 2,851 Applies to:
Answer
Answer

Hi Joshua,

Yes, you are right. The log "ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken" means the user tried to log on with credential "ForeignRealmIndex" and the authentication method is an "ADFSFederatedToken".

Here is a related article for your reference:

https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-schema?f=255&MSPPError=-2147217396

Regards,

Robert

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.