Ask a new question

Office 365 Audit Log Search - Understanding Properties & values

Dear All,

Can someone help me in understanding the properties and values in Office 365 Audit log search,

Searching for logs related to exchange do not return any value for any user. But when I search for all activities , it returns values with following properties,

1. Client IP - Understood

2. OPerations : Either with UserLoggedIN/UserloggedFAIL/ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken

May I know the difference between UserloggedIN & ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken ?

I see both the above operations from same client IP listed in results.

Workload is AzureActiveDirectory.

Also see some random IPs from Europe with ForeignRealmIndexLogonInitialAuthUsingADFSFederatedToken & Success. Are they Microsoft cloud IPs used by system?

Answer
Answer

Hi Sat-d1b,

Thanks for the updates.

Based on my test result, the logged in activity for my ADFS synced user shows only "UserloggedIn". You mentioned that you see both the types for the same user in the logs, regarding "If the user is synced using only ADFS, is it still possible to show "UserloggedIn" operation for this user in logs instead of the other type", it depends because this kind of behavior is not under our control. If you don't mind, you can ignore this record because it doesn't cause any negative effects.

Regards,
Mouran

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info

Last updated October 1, 2021 Views 2,672 Applies to: