O365 Audit Logs
O365 audit logs (prior to October 2018) displayed successful logins from external IP addresses. i.e. staff who login from external PC via Web, iphone, outlook on home PC etc.
It is now (for the last 12 months) shown only the occasional successful login from external IP (when I absolutely know there are many hundreds external logins). We have used this in the past to identify when accounts have been compromised. We do use MFA - but also check these logs daily as additional defense.
I have had a job logged with Microsoft since October 2018 to resolve this issue and have had at least 10 Microsoft staff gather logs and test (and had to explain the issue many multiple times).
Currently appears to be an effort in futility. We need these logs to provide this information and be consistent.