Avatar of bsjj2727
bsjj2727
Flag for United States of America asked on

Office 365 Logon Activity

Is there anyway, possibly through power shell to run some sort of logon activity report against my users on Office 365?  The reason I ask is if some how one of my users passwords were compromised, an attacker could be logging in via OWA and we would never know it.  If I could run a report showing me what IP people are logging in from and times of the day I could check it periodically to make sure no accounts have been compromised.
Microsoft 365* OWA

Avatar of undefined
Last Comment
Vasil Michev (MVP)

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Vasil Michev (MVP)

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
bsjj2727

ASKER
The SCC never seems to work for me,  If I do a audit log search for User signed in to mailbox for the last four days and do all users it comes back no data available
SOLUTION
Vasil Michev (MVP)

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
bsjj2727

ASKER
Apologies for the late response, i was able to pull some more logon activity via the audit log search but there is still a lot I can't get.  For instance will get tell me someone logged on but it won't show if its via OwA, Activesync or Mapi client.  Also it doesn't show failed logon attempts, if someone was trying to bruteforce their way into one of my mailboxes I would have no idea.  Is there a way to get this type of data?
Vasil Michev (MVP)

To get additional details, it's best to export the list of event and go over the last field, which contains information about the client, IP, etc.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
bsjj2727

ASKER
i've done that it doesn't show the client that was used to login and it also doesn't show login failures
Vasil Michev (MVP)

It shows them just fine for me. The login failure events are not covered by any filter though, so you need to get the full list of events. Use the Export results button to download them to CSV, then you can filter for the UserLoginFailed operation. Details about the client and IP will be visible in the AuditData column.
bsjj2727

ASKER
when you import the results into excel how are you doing it?  It looks like half the file is tsv, csv
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
bsjj2727

ASKER
I was able to get the data into a more easier to read format, I am finding that users who are logging in via activesync from their phones and the outlook client look the same.  Some will say Outlook and other times it will read as Exchange, the only way I can really tell is from the source IP.  Do you have another way of being able to tell which client is being used during logon?
Vasil Michev (MVP)

Client information can be spoofed easily, you shouldnt really rely on it anyway. And in any case, if you have suspicions about compromised accounts, best thing you can do is enforce MFA on the users.
bsjj2727

ASKER
I didn't know MFA was an option would that just be used for logging on via the portal or is it exercised in the outlook and native mobile apps as well
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Vasil Michev (MVP)

It can be used across all workloads, but the client application needs to support it. This is true for most apps these days, but in general it's something you should check for.
Vasil Michev (MVP)

If you feel this question wasn't answered or should be closed differently, post an objection. The moderators will review all objections and close it as they feel fit.