Share via

User sign in IP address is being partially sanitzed

Tom 1 Reputation point
2021-10-26T15:40:11.473+00:00

Hi, in the AD user sign in logs, I'm seeing a user attempt to sign in from an IP address that looks like the last digits are being sanitized. So for example the IP looks like this "192.168.0.XXX". I've tried to lookup why it might be replacing the end digits with X's but I've come up short. It only happens when the status is "interrupted" (but not everytime it's interrupted). It also displays the username as the user ID in these rows as well, instead of their actual name. Does anyone know why this may be happening?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vipul Sparsh 16,331 Reputation points Microsoft Employee Moderator
    2021-11-02T06:40:26.763+00:00

    @Tom @diegotco Apologies for delay on this one.

    If the user is a guest user, or in certain scenarios we redacted the PII information from IP address, Device ID or display name.
    That is why you see that IP address being sanitized.

    In case of user ID, if there was a sign in interruption and we did not get to the stage to translating the Object guid to UserPrincipalName , we just reflect the Object ID.
    Also if there are MFA scenarios where few times it might take up to 10 minutes for the logs to show the actual UPN, earlier log might show guid, but once we resolve it to UPN, the newer logs will show the UPN as well.

    -----------------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.