How to see the IP addresses from where your Office 365 users are accessing their mailbox


In our support experience we had multiple cases where customers wanted to know the IP address from where some of their users have logged in to Outlook Web App or in Outlook client. In the past, this kind of information could not be retrieved from the Office 365 side and only the customers with an Azure subscription had access to these details.

Now this information can be retrieved from new Office 365 Compliance Center(https://protection.office.com),  from the Audit log search, under “Search and Investigation” section.

In order to be able to see the connecting IP address for your users, you have to follow next steps:

 

1. First you need to enable company auditing from Compliance Center. For this step you can find guidance in the next article:

https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c#ID0EABAAA=Before_you_begin

 

2. Since the activity that you need to look for is called “User signed in to mailbox”  and it is a mailbox activity, this requires to enable mailbox auditing for that user from Exchange Online:

You can do this via PowerShell, using  below command:

Set-Mailbox -Identity user@domain.com-AuditEnabled $true

 

3. At the same time “User signed in to mailbox” action is a mailbox owner activity. In Exchange Online, even if you enable mailbox auditing, this does not mean that all the activities from that mailbox will be recorded.

Mailbox auditing has 3 types of recorded activities levels, which can be seen with below command:

 $FormatEnumerationLimit = -1
Get-Mailbox user@domain.com |fl *audit*

AuditEnabled     : true

AuditLogAgeLimit : 90.00:00:00

AuditAdmin       : {Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create}

AuditDelegate    : {Update, SoftDelete, HardDelete, SendAs, Create}

AuditOwner       : {}

As you can notice, by default, we have no action recorded for AuditOwner  .

So if you need to record the user login activity, you can easily do it with below command:

 Set-Mailbox user@domain.com -AuditOwner MailboxLogin

 

Please refer to below article for more details about what kind of actions you can audit in Exchange Online and about how to enable the auditing for them:

https://technet.microsoft.com/en-us/library/dn879651.aspx

 

4. Once you finished this setup for each user that you want to audit, you should perform the search from Compliance Center. Please be aware that auditing will record only the actions that were performed after the moment you enabled it, as per above procedure.

 

The result should be similar to the one from picture below :

blog2

 

Comments (3)

  1. turbomcp says:

    is that true for http/rpc also?

    1. Nicu Simion says:

      Hello,

      Thank you for your question,

      I have just connected with a test user from Outlook client(MAPI over HTTP) and this connection was also audited, so I could see the IP address from where I made the Outlook connection. About RPC connections, I don’t have an available client where to test, but I guess it is not relevant anymore, as this protocol will soon not be supported anymore.(https://support.microsoft.com/en-us/help/3201590/rpc-over-http-deprecated-in-office-365-on-october-31,-2017)

      So the answer is yes, it applies to both OWA/Outlook access.

      1. turbomcp says:

        great
        thanks for fast reply

Skip to main content