Back to binalyze.com

Access Modes in O365

When conducting cloud forensics with Binalyze Tornado for Office 365, you have two authentication methods available. Each method provides different levels of access and capabilities for data collection.

1. Normal User Login

What is it?

  • Basic user authentication method

  • Uses individual Office 365 account credentials

  • Perfect for single-user investigations

  • Limited to personal data access

When to use?

  • Investigating a specific user's activities

  • Collecting personal mailbox data

  • Analyzing individual Teams' communications

  • Personal OneDrive file investigations

2. Admin Consent Login

What is it?

  • Advanced authentication method

  • Requires administrative privileges

  • Organization-wide access

  • Includes all normal user capabilities plus administrative features

When to use?

  • Organization-wide investigations

  • Security incident response

  • Compliance audits

  • Multi-user data collection

Available Collectors by Access Mode

Normal User Login Collectors

Email Related Collectors:

  • Mail Collector

    • What it collects: Emails, attachments, and message metadata

    • Use case: Investigating email communications

    • Example: Collecting sent/received emails for analysis

  • Mail Folder Collector

    • What it collects: Email folder structure and organization

    • Use case: Understanding email organization patterns

    • Example: Analyzing custom folder setups

  • Mail Rule Collector

    • What it collects: Email rules and filters

    • Use case: Identifying automated email handling

    • Example: Discovering forwarding rules

Teams Related Collectors:

  • Teams Collector

    • What it collects: Teams channel data and files

    • Use case: Team collaboration analysis

    • Example: Investigating shared content

  • Teams Chat Collector

    • What it collects: Direct messages and chat history

    • Use case: Communication pattern analysis

    • Example: Reviewing private conversations

Additional Service Collectors:

  • OneDrive Collector

    • What it collects: Cloud storage files and metadata

    • Use case: File activity investigation

    • Example: Tracking file sharing history

  • Calendar Collector

    • What it collects: Calendar events and meetings

    • Use case: Activity timeline analysis

    • Example: Mapping user schedules

Admin Consent Login Collectors:

  • All Normal User Collectors

    • Access to all collectors listed above

    • Can be applied to any user in the organization

    • Broader scope of data collection

Administrative Collectors:

  • Entra Sign-In Collector

    • What it collects: User authentication logs

    • Use case: Security monitoring

    • Example: Detecting suspicious login attempts

  • Entra Directory Audit Collector

    • What it collects: Azure AD audit logs

    • Use case: Administrative action tracking

    • Example: Monitoring permission changes

Key Differences Between Access Modes

Feature

Normal User Login

Admin Consent Login

Access Scope

Personal data only

Organization-wide data

Data Collection

Limited to authenticated user

All users and administrative data

Best For

Individual investigations

Enterprise-level investigations

Advantages

Simple, user-specific analysis

Complete visibility of organization data

Limitations

Cannot access other users' data

Requires admin credentials

Use Case Example

"I need to investigate my own email communications from last month."

"I need to investigate all email communications within the finance department."

PreviousEnable Service Account Key CreationNextO365 license types

Last updated

Was this helpful?