Microsoft 365 user logon auditing

Hackers access endpoint devices looking to steal company-specific data, employees' personal data, or any other valuable information that might be of any use to them. To aid you in preventing such attacks, we've compiled a list of parameters that can help you identify unusual logs, which are often the first sign of an attack.

Unusual logon activity is one of the clearest indicators of a security breach, so it's important to audit user logons from both inside and outside your organization. With a tool that monitors the right parameters, most security threats can be identified before intruders gain access to your valuable data.

What parameters should you monitor?

The following parameters can add contextual information to your logon auditing and help you differentiate between regular user logon activity and anomalous logons:

• Endpoint used: Look out for logons from inappropriate devices. The CEO wouldn't log on from a system in the mail room, reception, or accounts section, right?
• Time of logon: Keep track of logons during non-business hours. A user that works a 9-to-5 shift logs in on a Saturday at 3am? Yeah, that’s suspicious.
• Frequency: Monitor the logon trend and identify excessive logons. Users normally log on once in the morning and log out in the evening. A user suddenly logging on and off in short bursts could indicate a problem.
• Concurrency: Most users log on from a single endpoint. But seeing a user suddenly logged in from multiple endpoints simultaneously is an obvious red flag.

User logon auditing with the admin center

User logon auditing with the Microsoft 365 admin center has the following limitations:

• The admin center does not provide a dedicated audit report on user logon activity. You need to filter the required audit logs using the audit log search tool in the Microsoft 365 admin center.
• In the admin center, you can't view user logon information that's older than 180 days.

With M365 Security Plus, on the other hand, you can overcome all the above limitations. In addition to providing everything the Microsoft 365 admin center offers, M365 Security Plus also offers many other features to help you secure your organization.

M365 Security Plus' features

M365 Security Plus provides information on all the parameters we just mentioned in an easy-to-understand report, meaning you don't have to rummage through audit logs in the Microsoft 365 admin center. Also, M365 Security Plus stores audit logs indefinitely, so you don't have to worry about that 180-day window in Microsoft 365.

M365 Security Plus offers the following audit reports on user logons:

• User logon activity
• Recent logon failures
• Recent successful logons

These reports can be set for automatic generation and delivery to your inbox at regular intervals; you can choose between PDF, HTML, XLSX, or CSV formats.

Audit user logons during non-business hours

User logons that occur outside of business hours should be audited for both security and compliance purposes. While Microsoft 365 can log user logons and other user activity natively, it can't filter the required audit log data to track whether employees are logging in to their accounts during non-business hours.

With M365 Security Plus, once you configure your business hours, you can retrieve audit data for user logons during non-business hours in a single click. You can also track user activity happening outside business hours to make sure employees aren't engaging in any malicious activity.