How to see the IP addresses from where your Office 365 users are accessing their mailbox


In our support experience we had multiple cases where customers wanted to know the IP address from where some of their users have logged in to Outlook Web App or in Outlook client. In the past, this kind of information could not be retrieved from the Office 365 side and only the customers with an Azure subscription had access to these details.

Now this information can be retrieved from new Office 365 Compliance Center(https://protection.office.com),  from the Audit log search, under “Search and Investigation” section.

In order to be able to see the connecting IP address for your users, you have to follow next steps:

 

1. First you need to enable company auditing from Compliance Center. For this step you can find guidance in the next article:

https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c#ID0EABAAA=Before_you_begin

 

2. Since the activity that you need to look for is called “User signed in to mailbox”  and it is a mailbox activity, this requires to enable mailbox auditing for that user from Exchange Online:

You can do this via PowerShell, using  below command:

Set-Mailbox -Identity user@domain.com-AuditEnabled $true

 

3. At the same time “User signed in to mailbox” action is a mailbox owner activity. In Exchange Online, even if you enable mailbox auditing, this does not mean that all the activities from that mailbox will be recorded.

Mailbox auditing has 3 types of recorded activities levels, which can be seen with below command:

 $FormatEnumerationLimit = -1
Get-Mailbox user@domain.com |fl *audit*

AuditEnabled     : true

AuditLogAgeLimit : 90.00:00:00

AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}

AuditDelegate    : {Update, SoftDelete, HardDelete, SendAs, Create}

AuditOwner       : {}

As you can notice, by default, we have no action recorded for AuditOwner  .

So if you need to record the user login activity, you can easily do it with below command:

 Set-Mailbox user@domain.com -AuditOwner MailboxLogin

 

Please refer to below article for more details about what kind of actions you can audit in Exchange Online and about how to enable the auditing for them:

https://technet.microsoft.com/en-us/library/dn879651.aspx

 

4. Once you finished this setup for each user that you want to audit, you should perform the search from Compliance Center. Please be aware that auditing will record only the actions that were performed after the moment you enabled it, as per above procedure.

 

The result should be similar to the one from picture below :

blog2

 

Comments (5)

  1. turbomcp says:

    is that true for http/rpc also?

    1. Nicu Simion says:

      Hello,

      Thank you for your question,

      I have just connected with a test user from Outlook client(MAPI over HTTP) and this connection was also audited, so I could see the IP address from where I made the Outlook connection. About RPC connections, I don’t have an available client where to test, but I guess it is not relevant anymore, as this protocol will soon not be supported anymore.(https://support.microsoft.com/en-us/help/3201590/rpc-over-http-deprecated-in-office-365-on-october-31,-2017)

      So the answer is yes, it applies to both OWA/Outlook access.

      1. turbomcp says:

        great
        thanks for fast reply

  2. JohnnyDh says:

    Hi Nicu,

    Superb article, kudos!

    Will this work for migrated mailboxes (on-prem to cloud) also?

    1. Nicu Simion says:

      Hello Johnny and thank you for your feedback,

      Once a mailbox is migrated to Exchange Online and the user is assigned with an Exchange License(otherwise it cannot access OWA/Outlook), the auditing should work in this scenario as well, but of course, you need first to enable the audited actions for the user, as described here.

Skip to main content