increased logging capabilities
When a standard user logs into Office 365 (SharePoint Online, Exchange Online, etc.) reporting should also include the following:
Login Username
Microsoft Office 365 IP
User/Client IP
User-Agent
Success/Failure of Login
This will allow security folks to monitor for compromised accounts, as well as help with compliance.
Eric Post
shared this idea
8 comments
-
Dave Carskadon
commented
To comment on GeoIP. Would be nice to have this. Having said that, I use a powershell script to pull this in myself. Of course, this info is mostly accurate to the country level. Including the carrier, however is useful for GeoIP logins within country.
-
Dave Carskadon
commented
If one has enabled auditing via Powershell to audit, say login by mailbox owner for all mailboxes, then this is what should be audited. Currently only 50% of mailboxes are audited, despite settings. Microsoft says that auditing of logins is currently not supported. I wonder why it is that you can enable auditing if it is not supported. And if not supported, why does it work half the time. I was sent here by MS support, to say what I am saying. What a joke!
-
Cian O Driscoll
commented
Could we also get bandwidth stats per sessions per user please this will help with determining Data exfiltration on potentially compromised accounts.
-
Jim K
commented
Microsoft's default security setup for office 365 is terrible - i.e. non existent. If we could easily block login attempts from outside of the US we would have never had all the problems with users accounts getting hacked. There are 0 security alerts an admin can get (new device / location login), suspicious activity reports / alerts (our azure reports DO NOT work and azure support has said they can't help). For a business product that's supposed to require little IT knowledge, it is incredibly insecure. Unfortunately many of these ideas are spread out on uservoice and should probably be considered one idea so microsoft actually pays attention:
-
Jim K
commented
I would add that a location based on ip address would be helpful as well. I need to quickly be able to see if an account was accessed outside of a state / country it should be accessed from, I know there is an issue (without looking up each ip address). There should also be some admin alerts based on these logs - e.g. x amount of failed logins triggers alert to admin or any logins from outside the U.S. could trigger alert.
-
Anonymous
commented
This is a must have feature for any larger corporation which is going to use O365 services. I can't believe that this is not implemented from the beggining of O365.
-
Warren Bailey
commented
Agreed this type of information is a bare minimum required to perform any type of rudimentary auditing for a potentially compromised account.
-
Mirza Dedic
commented
We definitely need this feature, need to be able to pull a log of username/IP/client that is accessing Exchange Online. This is huge for security folks, without this we are blind!