ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken

I've noticed some audit logs in my O365 environment where the IP address showing these was recorded as 40.97.169.141 which I confirmed belongs to Microsoft. Can anyone shed light on why O365 Security & Compliance Audit Log would show such a device trying to authenticate with the client's domain specific username?

I imagine it has something to do with ADFS authentication / routing to Microsoft but have not seen much documentation online about Activity "ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken" and would just like to clarify with someone who may have seen it before, or anyone from MS.

This thread is locked. You can vote as helpful, but you cannot reply or subscribe to this thread.

Answer

Ynnhoj Gnahz

Hi Joshua,

Yes, you are right. The log "ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken" means the user tried to log on with credential "ForeignRealmIndex" and the authentication method is an "ADFSFederatedToken".

Here is a related article for your reference:

https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-schema?f=255&MSPPError=-2147217396

Regards,

Robert

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Replies (9)

Question Info

Last updated November 10, 2023 Views 3,086 Applies to:

ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken

Replies (9) 

Question Info

Replies (9)