Audit Logs Showing 255.255.255.255 as IP Address in relation to action "User registered Outlook mobile with Code" – What Does It Mean?

NicholasHandelsmann-7401 0 Reputation points
2024-12-03T06:46:27.2133333+00:00

In the audit logs of my Microsoft 365 environment, I’ve noticed entries in the field InitiatedBy.user.ipAddress is listed as 255.255.255.255. This address is typically associated with broadcast traffic, which has left me a bit puzzled. The Log is related to an action named "User registered Outlook mobile with Code".

  • What does this IP address signify in the context of audit logs and the named action?
  • Are there specific scenarios or causes that lead to this being logged?

Thanks in advance for any insights!

Already made a comment some weeks ago here: https://learn.microsoft.com/en-us/answers/questions/1101266/audit-logs-with-255-255-255-255-ip-address

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Sentinel
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
    2024-12-05T07:25:25.64+00:00

    Hello @NicholasHandelsmann-7401 ,

    Thank you for reaching out Microsoft Q&A.

    I Understand that in the audit logs you have noticed InitiatedBy.user.ipAddress is listed as 255.255.255.255 IP address with an action named "User registered Outlook mobile with Code".

    According to the IP Address, there is a special definition which exists for the IP address 255.255.255.255. It is the broadcast address of the zero network or 0.0.0.0, which in Internet Protocol standards stands for this network, i.e. the local network. Transmission to this address is limited by definition, in that it is never forwarded by the routers connecting the local network to other networks. It is a reserved IP address and cannot be assigned to any single device on a network.

    The action named "User registered Outlook mobile with Code" indicates that the user has successfully Registered for Microsoft authenticator app for the Outlook mobile application and the audit log shows 255.255.255.255 in the IP address section.

    In this scenario, the user may have initiated the action from a device or network that does not have a unique IP address, such as a public Wi-Fi hotspot or a mobile network so that's why it is not triggering the actual IP address of the device in the audit logs.

    Hope this helps!

    Feel free to ask for additional queries : )

    Regards,
    Goutam Pratti.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.