Feedback by UserVoice

How can we improve compliance or protect your users better in Office 365?

Suspicious Login Reports and Alerts

Microsoft needs to include FREE reporting and alerts to paying office 365 subscribers. Apparently the azure reports that would be useful to office 365 subscribers require a paid subscription (according to the 2 tickets I put in with azure support)
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-view-access-usage-reports.

The office 365 audit log is a mess and doesn't give a clear picture of all suspicious activity for all users at a glance, e.g. logins from multiple geographies.

Ideally, admins would be able to get alerts based on suspicious activity. We've had several users accounts get hacked and we've had no idea. People were logging in from all over the world. A simple alert or report would have saved us a lot of headache.

314 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
You have left! (?) (thinking…)
Jim K shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

20 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
Submitting...
  • Dan Stockman commented  ·   ·  Flag as inappropriate

    I can't believe we don't have a simple fix for this and why are there not 10K+ comments here. We are trying to go with MFA for all but there are always holes.... I have clients being hacked by Russia, Brazil, etc... and nothing is being done. The shared Email accounts are the worst as we don't have MFA setup on those. I would think an alert should go to the company administrators if suddenly an account randomly has xx failed login attemps, or randomly an international IP attempted to login for the first time ever, or even as simple as a thousand outbound messages with exact same scam link are identified. We don't need advanced AI here.... just some simple programming I would think could easily fix this mess.

  • Bill Gates commented  ·   ·  Flag as inappropriate

    go to the cloud because its secure so claims microsloth and doodle and other ********* companies with limited to no security mindset. OH what you want to monitor activity? Oh well that's extra!! Yeah ******** microsoft you pos. Cloud isn't secure its a gaping hole!!!

  • CloudGuy commented  ·   ·  Flag as inappropriate

    As an o365/azure administrator my job to know of a compromised account immediately or about a suspicious login. We upgraded to a paid version (P2) in hopes of finding about this type of issues immediately but it has not been very successful of delivering the promise. We would like to be able to get the alert immediately when sign-ins are happening from regions we have no business in and or any suspicious activity for that matter. So I absolutely agree with the others on this board that the alerting and reporting needs to be improved drastically to justify the price per user.

  • Tim Whitney commented  ·   ·  Flag as inappropriate

    Not knowing someone is using their Desktop Outlook - while someone else (hacker) is using the online Outlook is a serious security problem. Hacker was able to selectively hide emails and managed to access a bank account. Neither the Admin or User knew this was happening on 5/16/19. Need Alert Policy for Login with Outlook Online being used - ASAP!

  • Anonymous commented  ·   ·  Flag as inappropriate

    I have purchased 10 P1 licenses, and even after making a condition access policy, it is still a messy mess, and I still only discovered a hacked mail account because of the fowarding rule alert. We need to know ASAP, we need a text message on our phones as soon as a logon breach is suspected. Yes, I can look at IMAP failures and I can see hundreds of scripted attempted logons from China Brazil Russia etc... but what about logons from browser/O365 portal? One account hacked from Lagos. I needed to know that at the time, at late at night, in the early hours of the morning, whenever. Give us the tools we need. Make it simple. I even purchased the licenses and still it doesn't offer security.

  • bob cleary commented  ·   ·  Flag as inappropriate

    I am going to add my voice to this request. It is needed and a sore spot for many of my clients that use Office 365. Having the alert to know when there is a logon attempt a previously unknown IP would be a great feature and an additional selling point.

  • Jon Rubow commented  ·   ·  Flag as inappropriate

    +1 on this. I would love a quick alert of suspicious logins so I don't have to monitor a board all day.

  • Cristian Rodriguez commented  ·   ·  Flag as inappropriate

    Good morning.

    Please include in O365 the functionality to create and edit policy alerts about impossible travel.

    Thanks for your attention.

  • Jim Hill commented  ·   ·  Flag as inappropriate

    This is a much needed feature. As a system admin I have a hard time believing that it isn't a built in feature.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I have a user that was unexpectedly getting MFA verification code text messages in the middle of the night. But to find out where the authorization request is coming from requires a paid feature upgrade (Azure AD P1 or P2). I'm completely dismayed. I expect Microsoft to provide significant level of tooling in all SKUs to ensure users of its Office 365 platform are confident in the security.

  • WLF Admin commented  ·   ·  Flag as inappropriate

    I've spent dozens of hours trying to work out hacks that would have taken me just a few minutes with Kerio Connect. What on earth are we paying for if we cannot deal with basic security?

  • Casey M commented  ·   ·  Flag as inappropriate

    i agree with this statement, i'm running into this problem as well. I could understand some of the "automated" features they are wanting to be a paid portion, but being able to check and have notifications that a users account is being used from a wildly different geographic location should be part of the O365 service as is.

  • Jim K commented  ·   ·  Flag as inappropriate

    Also, like Google already does, an email should be sent to the recipient when there is a new login from a device. This should at least be a configurable setting for admins. There is literally no "turned on by default" security measure in place for office 365. Users give up their credentials in phishing attempts all the time. We need more measure in place for admins to combat these issues.

Feedback and Knowledge Base