Office 365 Exchange client connection logs
Solution 1:
IP Address Logging:
You cannot see connection IP addresses, but you can see connection types with the following cmdlets:
Get-ConnectionByClientTypeReport
Get-ConnectionByClientTypeDetailReport
The standard report breaks this out by protocol, and the Detail report breaks down by User, by Protocol.
Other information not available in the O365 platform:
- EWS User Agent Strings. You are flying blind with regard to what types of Exchange Web Services connections are being serviced by your O365 tenant. This can be an issue as EWS is rather open, and there are several nefarious applications that use EWS to scrape company data.
- Mailbox Locations. Mailbox moves within the tenant are restricted from tenant admins. Multiple copies of a given mailbox exist, including DAGs, but these are abstracted by GUIDs.
What is available for administrators:
- Full message trace. For all messages going in and out of the O365 tenant, message trace is available. Live view is 7 days (IIRC), and historical trace can be queried and returned for up to 90 days.
- Auditing. Under Compliance Management > Auditing, a number of reports are available for reporting non-standard usage, such as: Non-owner mailbox access, Legal holds, Admin audit logs (every Add, Set, New and Remove action is logged).
Solution 2:
@blaughw has the correct answer here for straight O365 implantation. However, there may some options available to you.
if you are leveraging SSO with ADFS or another identity platform, you can capture the logon information which will include the IP a user is connecting from. If you are not using ADFS - you may want to consider it, as you can leverage policy controls to restrict access based on location.
If all your users are accessing via corporate LAN or VPN you can capture the outbound requests on the edge devices.
If you have control of your devices and they check in to the domain every so often, you can push a small script that records the addresses for the local computer. You can either have it message out to you - or just keep a running TXT file that you grab when they check in.