Dela via


How to see the IP addresses from where your Office 365 users are accessing their mailbox

In our support experience we had multiple cases where customers wanted to know the IP address from where some of their users have logged in to Outlook Web App or in Outlook client. In the past, this kind of information could not be retrieved from the Office 365 side and only the customers with an Azure subscription had access to these details.

 

UPDATE:

As per the last news, we will enable mailbox auditing by default in the near future, for all cloud mailboxes.

So the steps below from 1 to 3, to enable mailbox auditing for mailbox login events, will not be needed, once the auditing will be enabled automatically for all Office 365 mailboxes: https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Exchange-Mailbox-Auditing-will-be-enabled-by-default/ba-p/215171

 

 

Now this information can be retrieved from new Office 365 Compliance Center(https://protection.office.com) ,  from the Audit log search, under “Search and Investigation” section.

In order to be able to see the connecting IP address for your users, you have to follow next steps:

 

1. First you need to enable company auditing from Compliance Center. For this step you can find guidance in the next article:

https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c#ID0EABAAA=Before_you_begin

 

2. Since the activity that you need to look for is called “User signed in to mailbox”  and it is a mailbox activity, this requires to enable mailbox auditing for that user from Exchange Online:

You can do this via PowerShell, using  below command:

Set-Mailbox -Identity user@domain.com-AuditEnabled $true

 

3. At the same time “User signed in to mailbox” action is a mailbox owner activity. In Exchange Online, even if you enable mailbox auditing, this does not mean that all the activities from that mailbox will be recorded.

Mailbox auditing has 3 types of recorded activities levels, which can be seen with below command:

  $FormatEnumerationLimit = -1
Get-Mailbox user@domain.com |fl *audit*
AuditEnabled     : true

AuditLogAgeLimit : 90.00:00:00

AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}

AuditDelegate    : {Update, SoftDelete, HardDelete, SendAs, Create}

AuditOwner       : {}

As you can notice, by default, we have no action recorded for AuditOwner  .

So if you need to record the user login activity, you can easily do it with below command:

 Set-Mailbox user@domain.com -AuditOwner MailboxLogin

 

Please refer to below article for more details about what kind of actions you can audit in Exchange Online and about how to enable the auditing for them:

https://technet.microsoft.com/en-us/library/dn879651.aspx

 

4. Once you finished this setup for each user that you want to audit, you should perform the search from Compliance Center. Please be aware that auditing will record only the actions that were performed after the moment you enabled it, as per above procedure.

 

The result should be similar to the one from picture below :

blog2

Comments

  • Anonymous
    March 14, 2017
    is that true for http/rpc also?
    • Anonymous
      March 14, 2017
      Hello, Thank you for your question,I have just connected with a test user from Outlook client(MAPI over HTTP) and this connection was also audited, so I could see the IP address from where I made the Outlook connection. About RPC connections, I don't have an available client where to test, but I guess it is not relevant anymore, as this protocol will soon not be supported anymore.(https://support.microsoft.com/en-us/help/3201590/rpc-over-http-deprecated-in-office-365-on-october-31,-2017)So the answer is yes, it applies to both OWA/Outlook access.
      • Anonymous
        March 14, 2017
        greatthanks for fast reply
  • Anonymous
    May 09, 2017
    Hi Nicu,Superb article, kudos!Will this work for migrated mailboxes (on-prem to cloud) also?
    • Anonymous
      May 09, 2017
      The comment has been removed
  • Anonymous
    July 12, 2017
    I am struggling to find a way to get this data programmatically...I want to get this data out, not login to a website to see. Is there a way I can do that?
    • Anonymous
      July 24, 2017
      Hello,You have the option to connect to Compliance Center from PowerShell, using the steps from this article:https://technet.microsoft.com/en-us/library/mt587092(v=exchg.160).aspxThen you can run below command, that will return you all the activities of "mailboxlogin" for a particular user, like in below example:Search-UnifiedAuditLog -StartDate 7/1/2017 -EndDate 7/30/2017 -UserIds user@contoso.com -Operations MailboxLogin -Formatted If you want to export the login information to a csv file, for all the users that have audit enabled for this activity, you can do it very easily:Search-UnifiedAuditLog -StartDate 7/1/2017 -EndDate 7/30/2017 -Operations MailboxLogin -Formatted |Export-Csv -Path C:\temp\mailboxlogin.csv You can see the connection details, such as the IP address, on the AuditData section from the returned output.Also I need to mention that getting this data from Powershell will NOT bypass the pre-requisites mentioned into this port.
  • Anonymous
    October 23, 2017
    Will it be available for Exchange 2016?
    • Anonymous
      October 24, 2017
      Hello Fabrizio,Currently this feature is available only for Exchange Online mailboxes, from new Compliance Center portal.
  • Anonymous
    November 20, 2017
    Thanks for the article. I tried to locate a computer on the shared network that was used to send an email. T turned the audit log for a test account using:Set-Mailbox -Identity user@domain.com-AuditEnabled $trueSet-Mailbox user@domain.com -AuditOwner MailboxLogin I got the result for "User signed in to mailbox", but the Client IP address show the gateway IP address of the shared network, not the actual workstation IP. Is there away to capture actual workstation IP?
    • Anonymous
      November 21, 2017
      Hi Danny,As long as your clients are configured to use a gateway or a proxy server to get access to internet, then all the incoming connections to our servers will be sent of behalf of the gateway/proxy server IP address.
      • Anonymous
        November 21, 2017
        Thanks, Nicu!The shared gateway/proxy address could also be found in the message header, so the information in audit log doesn't help when it comes to investigation.