Office 365 Audit and Compliance: Checking Password Resets
The audit data which Microsoft provides is pretty powerful, but there is a lot of data gathered from even very small tenants; this can make life difficult at times.
Making sense of this information is something that we can help you do in our Office 365 Audit and Compliance module.
In our first blog post I described the user interface that we’ve built to allow you to get a better understanding of the audit data that is available.
In this blog post I’m going to cover a very simple example relating to password resets.
In our example a user called John Smith has contacted the helpdesk because he has had some problems with resetting his password. It seems he’s contacted the helpdesk a couple of times on this matter. As a helpdesk engineer I would want to verify when and who performed any kind of password resets.
Let’s see how we can do that in our Audit and Compliance module.
In the user interface let’s choose the ‘Workload’: ‘Azure Activity Directory’. This will narrow down events to only that particular workload; so if they have been using other applications like email, or Teams those events won’t be shown in our output. Next let’s choose a date range of the last couple of weeks, and finally in the ‘Full text search’ we can put the user: ‘firstname.lastname@example.org’.
The ‘Full text search’ option allows to search the whole of the audit data stream for the particular string. It can be very useful when searching for things like specific IP addresses, usernames or filenames.
Once we’ve got these things selected, we click on ‘Search’.
The results come back immediately, and we can see the information in our time-based chart, as well as the timeline view.
What’s interesting is that the person that contacted the helpdesk seems to be someone new at the organization. We know this because there is an ‘Add user’ event:
Perhaps they’re not aware of the password policies that we have in place and have been trying to set a poor password? Perhaps they’ve been trying to login with their ‘new starter’ password, even after they’ve changed it something better? Knowing that the user is relatively new to the organization is value-add information that we can discuss with them when we conclude our searches.
If there were a lot of events for this particular search we could narrow down our results further. We can do this by picking a particular activity (for example ‘Reset user password’) or we could use the data-grid view, and filter the results on there:
The above example is just one of how the Audit and Compliance module makes daily troubleshooting more efficient. Why not sign up for a trial of Audit and Compliance module and see some of the information about your Office 365 tenant?