Office 365 Logon Activity

bsjj2727
bsjj2727 used Ask the Experts™
on
Is there anyway, possibly through power shell to run some sort of logon activity report against my users on Office 365?  The reason I ask is if some how one of my users passwords were compromised, an attacker could be logging in via OWA and we would never know it.  If I could run a report showing me what IP people are logging in from and times of the day I could check it periodically to make sure no accounts have been compromised.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015
Distinguished Expert 2018
Commented:

Author

Commented:
The SCC never seems to work for me,  If I do a audit log search for User signed in to mailbox for the last four days and do all users it comes back no data available
Most Valuable Expert 2015
Distinguished Expert 2018
Commented:
To audit mailbox level events, you need to have Mailbox auditing enabled for each individual mailbox: https://technet.microsoft.com/en-us/library/dn879651.aspx
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Author

Commented:
Apologies for the late response, i was able to pull some more logon activity via the audit log search but there is still a lot I can't get.  For instance will get tell me someone logged on but it won't show if its via OwA, Activesync or Mapi client.  Also it doesn't show failed logon attempts, if someone was trying to bruteforce their way into one of my mailboxes I would have no idea.  Is there a way to get this type of data?
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
To get additional details, it's best to export the list of event and go over the last field, which contains information about the client, IP, etc.

Author

Commented:
i've done that it doesn't show the client that was used to login and it also doesn't show login failures
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
It shows them just fine for me. The login failure events are not covered by any filter though, so you need to get the full list of events. Use the Export results button to download them to CSV, then you can filter for the UserLoginFailed operation. Details about the client and IP will be visible in the AuditData column.

Author

Commented:
when you import the results into excel how are you doing it?  It looks like half the file is tsv, csv

Author

Commented:
I was able to get the data into a more easier to read format, I am finding that users who are logging in via activesync from their phones and the outlook client look the same.  Some will say Outlook and other times it will read as Exchange, the only way I can really tell is from the source IP.  Do you have another way of being able to tell which client is being used during logon?
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
Client information can be spoofed easily, you shouldnt really rely on it anyway. And in any case, if you have suspicions about compromised accounts, best thing you can do is enforce MFA on the users.

Author

Commented:
I didn't know MFA was an option would that just be used for logging on via the portal or is it exercised in the outlook and native mobile apps as well
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
It can be used across all workloads, but the client application needs to support it. This is true for most apps these days, but in general it's something you should check for.
Most Valuable Expert 2015
Distinguished Expert 2018

Commented:
If you feel this question wasn't answered or should be closed differently, post an objection. The moderators will review all objections and close it as they feel fit.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial