Audit logs with 255.255.255.255 Ip Address

T_B_ 1 Reputation point
2022-11-23T09:28:06.387+00:00

I have some entries in the AuditLogs of my tenant where the InitiatedBy.user.ipAddress field has the address "255.255.255.255".
Mainly logs about "security info" update/delete.
What does this mean?
How can an Azure user has this address?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,457 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 30,441 Reputation points Microsoft Employee
    2022-11-24T16:34:54.517+00:00

    @T_B_ Thank you for reaching out to us. As I understand you would like to investigate about the audit logs having this information 255.255.255.255.

    Did a quick repro in my demo tenant, on deleting the authenticator app information from a user within Azure AD portal trigger's below information within the audit logs.
    Activity Type - Admin deleted security info
    Status reason - Admin deleted Microsoft Authenticator Authentication Method for user
    IP address - 255.255.255.255

    Just wanted to check are you trying to delete authenticator app information for any user from Azure AD portal? were you able to delete it successfully? Thats when you see this ip address being logged in the Audit logs.

    Let me know if you have any further questions, feel free to post back.

    1 person found this answer helpful.
    0 comments No comments