PhoneGet Quote
US Sales: +1 888 720 9500
US Support: +1 844 245 1108
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9890


Office 365 user logon auditing

Hackers access endpoint devices looking to steal company-specific data, employees' personal data, or any other valuable information that might be of any use to them. To aid you in preventing such attacks, we've compiled a list of parameters that can help you identify unusual logs, which are often the first sign of an attack.

Unusual logon activity is one of the clearest indicators of a security breach, so it's important to audit user logons from both inside and outside your organization. With a tool that monitors the right parameters, most security threats can be identified before intruders gain access to your valuable data.

What parameters should you monitor?

The following parameters can add contextual information to your logon auditing and help you differentiate between regular user logon activity and anomalous logons:

  • Endpoint used: Look out for logons from inappropriate devices. The CEO wouldn't log on from a system in the mail room, reception, or accounts section, right?
  • Time of logon: Keep track of logons during non-business hours. A user that works a 9-to-5 shift logs in on a Saturday at 3am? Yeah, that’s suspicious.
  • Frequency: Monitor the logon trend and identify excessive logons. Users normally log on once in the morning and log out in the evening. A user suddenly logging on and off in short bursts could indicate a problem.
  • Concurrency: Most users log on from a single endpoint. But seeing a user suddenly logged in from multiple endpoints simultaneously is an obvious red flag.

User logon auditing with the admin center

User logon auditing with the Office 365 admin center has the following limitations:

  • The admin center does not provide a dedicated audit report on user logon activity. You need to filter the required audit logs using the audit log search tool in the Office 365 admin center.
  • In the admin center, you can't view user logon information that's older than 90 days.

With O365 Manager Plus, on the other hand, you can overcome all the above limitations. In addition to providing everything the Office 365 admin center offers, O365 Manager Plus also offers many other features to help you secure your organization.

O365 Manager Plus' features

O365 Manager Plus provides information on all the parameters we just mentioned in an easy-to-understand report, meaning you don't have to rummage through audit logs in the Office 365 admin center. Also, O365 Manager Plus stores audit logs indefinitely, so you don't have to worry about that 90-day window in Office 365.

O365 Manager Plus offers the following audit reports on user logons:

  • User logon activity
  • Recent logon failures
  • Recent successful logons

These reports can be set for automatic generation and delivery to your inbox at regular intervals; you can choose between PDF, HTML, XLS, or CSV formats.

O365 Manager plus User logon activity
O365 Manager plus Recent logon failures
O365 Manager plus Recent successful logons

Detect brute-force attacks

Multiple failed logon attempts for a single account in a short span of time is the telltale sign of a brute-force attack. With O365 Manager Plus' Recent Logon Failures report, keep track of any unusual amount of failed logon attempts. This report provides details about the user account being compromised, IP address of the machine being used to log on, date and time of the attempt, and a lot more.

  1. Generate the Recent Logon Failures report.
  2. Automate the report to detect attacks on the go.

O365 Manager Plus business hours auditing

Audit user logons during non-business hours

User logons that occur outside of business hours should be audited for both security and compliance purposes. While Office 365 can log user logons and other user activity natively, it can't filter the required audit log data to track whether employees are logging in to their accounts during non-business hours.

With O365 Manager Plus, once you configure your business hours, you can retrieve audit data for user logons during non-business hours in a single click. You can also track user activity happening outside business hours to make sure employees aren't engaging in any malicious activity.

Identify unauthorized logons with O365 Manager Plus

  Download a free trial now!  Request demo

Other features

A holistic Office 365 administration solution