Access Modes in O365
When conducting cloud forensics with Binalyze Tornado for Office 365, you have two authentication methods available. Each method provides different levels of access and capabilities for data collection.
1. Normal User Login
Section titled “1. Normal User Login ”What is it?
- Basic user authentication method
- Uses individual Office 365 account credentials
- Perfect for single-user investigations
- Limited to personal data access
When to use?
- Investigating a specific user’s activities
- Collecting personal mailbox data
- Analyzing individual Teams’ communications
- Personal OneDrive file investigations
2. Admin Consent Login
Section titled “2. Admin Consent Login ”What is it?
- Advanced authentication method
- Requires administrative privileges
- Organization-wide access
- Includes all normal user capabilities plus administrative features
When to use?
- Organization-wide investigations
- Security incident response
- Compliance audits
- Multi-user data collection
Available Collectors by Access Mode
Section titled “Available Collectors by Access Mode ”Normal User Login Collectors
Section titled “Normal User Login Collectors ”Email Related Collectors:
- Mail Collector
- What it collects: Emails, attachments, and message metadata
- Use case: Investigating email communications
- Example: Collecting sent/received emails for analysis
- Mail Folder Collector
- What it collects: Email folder structure and organization
- Use case: Understanding email organization patterns
- Example: Analyzing custom folder setups
- Mail Rule Collector
- What it collects: Email rules and filters
- Use case: Identifying automated email handling
- Example: Discovering forwarding rules
Teams Related Collectors:
- Teams Collector
- What it collects: Teams channel data and files
- Use case: Team collaboration analysis
- Example: Investigating shared content
- Teams Chat Collector
- What it collects: Direct messages and chat history
- Use case: Communication pattern analysis
- Example: Reviewing private conversations
Additional Service Collectors:
- OneDrive Collector
- What it collects: Cloud storage files and metadata
- Use case: File activity investigation
- Example: Tracking file sharing history
- Calendar Collector
- What it collects: Calendar events and meetings
- Use case: Activity timeline analysis
- Example: Mapping user schedules
Admin Consent Login Collectors:
Section titled “Admin Consent Login Collectors: ”- All Normal User Collectors
- Access to all collectors listed above
- Can be applied to any user in the organization
- Broader scope of data collection
Administrative Collectors:
- Entra Sign-In Collector
- What it collects: User authentication logs
- Use case: Security monitoring
- Example: Detecting suspicious login attempts
- Entra Directory Audit Collector
- What it collects: Azure AD audit logs
- Use case: Administrative action tracking
- Example: Monitoring permission changes
Key Differences Between Access Modes
Section titled “Key Differences Between Access Modes”| Feature | Normal User Login | Admin Consent Login |
|---|---|---|
| Access Scope | Personal data only | Organization-wide data |
| Data Collection | Limited to authenticated user | All users and administrative data |
| Best For | Individual investigations | Enterprise-level investigations |
| Advantages | Simple, user-specific analysis | Complete visibility of organization data |
| Limitations | Cannot access other users’ data | Requires admin credentials |
| Use Case Example | ”I need to investigate my own email communications from last month." | "I need to investigate all email communications within the finance department.” |