Office 365 Logon Activity

Is there anyway, possibly through power shell to run some sort of logon activity report against my users on Office 365?  The reason I ask is if some how one of my users passwords were compromised, an attacker could be logging in via OWA and we would never know it.  If I could run a report showing me what IP people are logging in from and times of the day I could check it periodically to make sure no accounts have been compromised.
bsjj2727Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bsjj2727Author Commented:
The SCC never seems to work for me,  If I do a audit log search for User signed in to mailbox for the last four days and do all users it comes back no data available
0
Vasil Michev (MVP)Commented:
To audit mailbox level events, you need to have Mailbox auditing enabled for each individual mailbox: https://technet.microsoft.com/en-us/library/dn879651.aspx
0
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

bsjj2727Author Commented:
Apologies for the late response, i was able to pull some more logon activity via the audit log search but there is still a lot I can't get.  For instance will get tell me someone logged on but it won't show if its via OwA, Activesync or Mapi client.  Also it doesn't show failed logon attempts, if someone was trying to bruteforce their way into one of my mailboxes I would have no idea.  Is there a way to get this type of data?
0
Vasil Michev (MVP)Commented:
To get additional details, it's best to export the list of event and go over the last field, which contains information about the client, IP, etc.
0
bsjj2727Author Commented:
i've done that it doesn't show the client that was used to login and it also doesn't show login failures
0
Vasil Michev (MVP)Commented:
It shows them just fine for me. The login failure events are not covered by any filter though, so you need to get the full list of events. Use the Export results button to download them to CSV, then you can filter for the UserLoginFailed operation. Details about the client and IP will be visible in the AuditData column.
0
bsjj2727Author Commented:
when you import the results into excel how are you doing it?  It looks like half the file is tsv, csv
0
bsjj2727Author Commented:
I was able to get the data into a more easier to read format, I am finding that users who are logging in via activesync from their phones and the outlook client look the same.  Some will say Outlook and other times it will read as Exchange, the only way I can really tell is from the source IP.  Do you have another way of being able to tell which client is being used during logon?
0
Vasil Michev (MVP)Commented:
Client information can be spoofed easily, you shouldnt really rely on it anyway. And in any case, if you have suspicions about compromised accounts, best thing you can do is enforce MFA on the users.
0
bsjj2727Author Commented:
I didn't know MFA was an option would that just be used for logging on via the portal or is it exercised in the outlook and native mobile apps as well
0
Vasil Michev (MVP)Commented:
It can be used across all workloads, but the client application needs to support it. This is true for most apps these days, but in general it's something you should check for.
0
Vasil Michev (MVP)Commented:
If you feel this question wasn't answered or should be closed differently, post an objection. The moderators will review all objections and close it as they feel fit.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.