Office 365 Logon Activity
Is there anyway, possibly through power shell to run some sort of logon activity report against my users on Office 365? The reason I ask is if some how one of my users passwords were compromised, an attacker could be logging in via OWA and we would never know it. If I could run a report showing me what IP people are logging in from and times of the day I could check it periodically to make sure no accounts have been compromised.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Apologies for the late response, i was able to pull some more logon activity via the audit log search but there is still a lot I can't get. For instance will get tell me someone logged on but it won't show if its via OwA, Activesync or Mapi client. Also it doesn't show failed logon attempts, if someone was trying to bruteforce their way into one of my mailboxes I would have no idea. Is there a way to get this type of data?
To get additional details, it's best to export the list of event and go over the last field, which contains information about the client, IP, etc.
ASKER
i've done that it doesn't show the client that was used to login and it also doesn't show login failures
It shows them just fine for me. The login failure events are not covered by any filter though, so you need to get the full list of events. Use the Export results button to download them to CSV, then you can filter for the UserLoginFailed operation. Details about the client and IP will be visible in the AuditData column.
ASKER
when you import the results into excel how are you doing it? It looks like half the file is tsv, csv
ASKER
I was able to get the data into a more easier to read format, I am finding that users who are logging in via activesync from their phones and the outlook client look the same. Some will say Outlook and other times it will read as Exchange, the only way I can really tell is from the source IP. Do you have another way of being able to tell which client is being used during logon?
Client information can be spoofed easily, you shouldnt really rely on it anyway. And in any case, if you have suspicions about compromised accounts, best thing you can do is enforce MFA on the users.
ASKER
I didn't know MFA was an option would that just be used for logging on via the portal or is it exercised in the outlook and native mobile apps as well
It can be used across all workloads, but the client application needs to support it. This is true for most apps these days, but in general it's something you should check for.
If you feel this question wasn't answered or should be closed differently, post an objection. The moderators will review all objections and close it as they feel fit.
ASKER