UserAgent property value in the unified audit log from the Security & Compliance Center


Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. For more information about this change, read this blog post.

Original KB number: 4487380


When you pull the unified audit log from the Office 365 Security & Compliance Center for successful or failed sign-i, you see the following value for the UserAgent property. This article explains what the information refers to.


The details of the audit log may resemble the following:

{'CreationTime':'YYYY-MM-DD','Id':'GUID','Operation':'UserLoginFailed','OrganizationId': 'OrganizationId','RecordType':15,'ResultStatus':'Failed','UserKey':'', 'UserType':0,'Version':1,'Workload':'AzureActiveDirectory','ClientIP':'','ObjectId':'Unknown','UserId':'', 'AzureActiveDirectoryEventType':1,'ExtendedProperties':[{'Name':'UserAgent','Value':'CBAInPROD'}

More information

User agent usually refers to the information about the user's browser. In this particular case, it indicates that you use a legacy protocol such as POP or IMAP to access your mailbox.

Legacy email clients use Basic authentication. Basic authentication in Exchange Online accepts a user name and a password for client access requests. Blocking Basic authentication can help protect an Exchange Online organization from brute force or password spray attacks. To block basic authentication, see Disable Basic authentication in Exchange Online.