I've noticed some audit logs in my O365 environment where the IP address showing these was recorded as 40.97.169.141 which I confirmed belongs to Microsoft. Can anyone shed light on why O365 Security & Compliance Audit Log would show such a device trying
to authenticate with the client's domain specific username?
I imagine it has something to do with ADFS authentication / routing to Microsoft but have not seen much documentation online about Activity "ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken" and would just like to clarify with someone who may have seen
it before, or anyone from MS.
Yes, you are right. The log "ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken" means the user tried to log on with credential "ForeignRealmIndex" and the authentication
method is an "ADFSFederatedToken".