This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 12%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
I have a user that is failing authentication to exchange online and I'm seeing the attempts in AAD sign in logs. The user isn't experiencing any issues on the PC they are currently using so I believe another system is the issue. The main issue is that the AAD log only shows the the IP of my public IP and not the IP of the PC where failed auth is originating from. Does anyone know of a way to correlate a failed AAD auth back to the PC it originated from in this scenario? Are there any local logs on the PC that i could query that would also say an auth failed (I have ability to get windows event logs and other local logs)?
Hello,
AAD sign-in report is available. Hope, that helps.
Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion
Regards,
Manu
unfortunately the sign ins page, as I mentioned above, doesn't provide information about the device the authentication attempt originated from so I'm still stuck.
Have you also tried customizing the result so that you can see the device info?
Device info just says windows 10 and Microsoft office 16.0. any other thoughts?
Check, if Resource, Resource ID fields can help
Thanks,
Manu
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
If you have concerns about unauthorized logins, you could improve your security by setting up multi-factor authentication for your users.
Dealing with high number of failed log on attempts from foreign countries utilizing Exchange Online:
https://techcommunity.microsoft.com/t5/exchange/dealing-with-high-number-of-failed-log-on-attempts-from-foreign/m-p/91325
Audit activity reports in the Azure Active Directory portal:
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
You can also try, Lepide Azure AD Auditor - to spot when a large number of failed logons are occurring which could indicate a brute force attack.