Office 365 Exchange client connection logs

logging exchange microsoft-office-365

Solution 1:

IP Address Logging:

You cannot see connection IP addresses, but you can see connection types with the following cmdlets:

Get-ConnectionByClientTypeReport
Get-ConnectionByClientTypeDetailReport

The standard report breaks this out by protocol, and the Detail report breaks down by User, by Protocol.

Other information not available in the O365 platform:

  • EWS User Agent Strings. You are flying blind with regard to what types of Exchange Web Services connections are being serviced by your O365 tenant. This can be an issue as EWS is rather open, and there are several nefarious applications that use EWS to scrape company data.
  • Mailbox Locations. Mailbox moves within the tenant are restricted from tenant admins. Multiple copies of a given mailbox exist, including DAGs, but these are abstracted by GUIDs.

What is available for administrators:

  • Full message trace. For all messages going in and out of the O365 tenant, message trace is available. Live view is 7 days (IIRC), and historical trace can be queried and returned for up to 90 days.
  • Auditing. Under Compliance Management > Auditing, a number of reports are available for reporting non-standard usage, such as: Non-owner mailbox access, Legal holds, Admin audit logs (every Add, Set, New and Remove action is logged).

Solution 2:

@blaughw has the correct answer here for straight O365 implantation. However, there may some options available to you.

if you are leveraging SSO with ADFS or another identity platform, you can capture the logon information which will include the IP a user is connecting from. If you are not using ADFS - you may want to consider it, as you can leverage policy controls to restrict access based on location.

If all your users are accessing via corporate LAN or VPN you can capture the outbound requests on the edge devices.

If you have control of your devices and they check in to the domain every so often, you can push a small script that records the addresses for the local computer. You can either have it message out to you - or just keep a running TXT file that you grab when they check in.

Related

Squid running out of filedescriptors on CentOS 7
Jenkins CI Master-Slave setup with docker for slave server
ProxyPass HTTPS to other server
Grace Period? - AWS EC2 Container Service and Elastic Load Balancers
multiple client istances for openvpn connections
openvpn, option tls-cipher not working, no shared cipher
Bug in WMI namespace for MicrosoftDNS Statistics class?
kswap using 100% of CPU even with 100GB+ of RAM available
EC2 - should security groups be specialized and stacked?
Unable to update Windows 10 programatically
How to enable SSL on ubuntu apache2 ec2 instance correctly?
Limit number of concurrent users switching to root account?