Access Modes in O365
When conducting cloud forensics with Binalyze Tornado for Office 365, you have two authentication methods available. Each method provides different levels of access and capabilities for data collection.
1. Normal User Login
What is it?
Basic user authentication method
Uses individual Office 365 account credentials
Perfect for single-user investigations
Limited to personal data access
When to use?
Investigating a specific user's activities
Collecting personal mailbox data
Analyzing individual Teams' communications
Personal OneDrive file investigations
2. Admin Consent Login
What is it?
Advanced authentication method
Requires administrative privileges
Organization-wide access
Includes all normal user capabilities plus administrative features
When to use?
Organization-wide investigations
Security incident response
Compliance audits
Multi-user data collection
Available Collectors by Access Mode
Normal User Login Collectors
Email Related Collectors:
Mail Collector
What it collects: Emails, attachments, and message metadata
Use case: Investigating email communications
Example: Collecting sent/received emails for analysis
Mail Folder Collector
What it collects: Email folder structure and organization
Use case: Understanding email organization patterns
Example: Analyzing custom folder setups
Mail Rule Collector
What it collects: Email rules and filters
Use case: Identifying automated email handling
Example: Discovering forwarding rules
Teams Related Collectors:
Teams Collector
What it collects: Teams channel data and files
Use case: Team collaboration analysis
Example: Investigating shared content
Teams Chat Collector
What it collects: Direct messages and chat history
Use case: Communication pattern analysis
Example: Reviewing private conversations
Additional Service Collectors:
OneDrive Collector
What it collects: Cloud storage files and metadata
Use case: File activity investigation
Example: Tracking file sharing history
Calendar Collector
What it collects: Calendar events and meetings
Use case: Activity timeline analysis
Example: Mapping user schedules
Admin Consent Login Collectors:
All Normal User Collectors
Access to all collectors listed above
Can be applied to any user in the organization
Broader scope of data collection
Administrative Collectors:
Entra Sign-In Collector
What it collects: User authentication logs
Use case: Security monitoring
Example: Detecting suspicious login attempts
Entra Directory Audit Collector
What it collects: Azure AD audit logs
Use case: Administrative action tracking
Example: Monitoring permission changes
Key Differences Between Access Modes
Feature
Normal User Login
Admin Consent Login
Access Scope
Personal data only
Organization-wide data
Data Collection
Limited to authenticated user
All users and administrative data
Best For
Individual investigations
Enterprise-level investigations
Advantages
Simple, user-specific analysis
Complete visibility of organization data
Limitations
Cannot access other users' data
Requires admin credentials
Use Case Example
"I need to investigate my own email communications from last month."
"I need to investigate all email communications within the finance department."
Last updated
Was this helpful?