Office 365 Audit Logs: Multiple failed login attempts from a Microsoft IP address


I have enabled and am reviewing audit logs for our organization, I am seeing multiple failed login attempts, all from Microsoft owned IP addresses. Here's a sample JSON from the downloaded csv:

         "Value":"-2147217390;PP_E_BAD_PASSWORD;The entered and stored passwords do not match."

Here's the whoisip lookup for that IP:

IP Address:
Name: MSFT
Handle: NET-40-74-0-0-1
Registration Date: 23/02/15
Org: Microsoft Corporation
Org Handle: MSFT
Address: One Microsoft Way
City: Redmond
State/Province: WA
Postal Code: 98052

Other Microsoft IPs in the logs include:,,, etc. In total 40 unique IP addresses from the Microsoft owned subnet 40.97.*.* in the past week

Any suggestions about what is trying to login from these IP address? Perhaps a tool integration that's broken?

Hi Mk-rct,

It’s expected behavior that Microsoft IP address is logged in the Audit log.

Here is the reason:

When a user is using a Microsoft Service (such as Word Online, Excel Online) to view documents from SharePoint, it is possible that they’ll make a direct request for the file from SharePoint, and it is also possible that the service in the middle (Word Online, Excel Online, ect.) makes a request to SharePoint on the user’s behalf.

The related team has been aware there’s room for improvement. They’re currently collaborating between teams. However, we hope you understand it’s a long term process in the future, and it’s not expected to see change in short term.


Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.


Question Info

Last updated October 30, 2020 Views 2,647 Applies to: