Back to binalyze.com

Accessing Office 365

When conducting cloud forensics with Binalyze Tornado for Office 365, you can choose between two authentication methods, each offering different levels of access and data collection capabilities.

1. Normal User Login

What is it?

  • Basic user authentication method

  • Uses individual Office 365 account credentials

  • Ideal for single-user investigations

  • Limited to personal data access

When to use it?

  • Investigating a specific user's activities

  • Collecting personal mailbox data

  • Analyzing individual Teams communications

  • Reviewing personal OneDrive files

2. Admin Consent Login

What is it?

  • Advanced authentication method requiring administrative privileges

  • Provides organization-wide access

  • Includes all Normal User Login capabilities plus administrative features

When to use it?

  • Organization-wide investigations

  • Security incident response

  • Compliance audits

  • Multi-user data collection

Available Collectors by Access Mode

Normal User Login Collectors

Email Collectors

  • Mail Collector

    • What it collects: Emails, attachments, and message metadata

    • Use case: Investigating email communications

    • Example: Analyzing sent and received emails

  • Mail Folder Collector

    • What it collects: Email folder structure and organization

    • Use case: Understanding email organization patterns

    • Example: Reviewing custom folder setups

  • Mail Rule Collector

    • What it collects: Email rules and filters

    • Use case: Identifying automated email handling

    • Example: Discovering forwarding rules

Teams Collectors

  • Teams Collector

    • What it collects: Teams channel data and files

    • Use case: Analyzing team collaboration

    • Example: Investigating shared content

  • Teams Chat Collector

    • What it collects: Direct messages and chat history

    • Use case: Communication pattern analysis

    • Example: Reviewing private conversations

Additional Collectors

  • OneDrive Collector

    • What it collects: Cloud storage files and metadata

    • Use case: File activity investigation

    • Example: Tracking file-sharing history

  • Calendar Collector

    • What it collects: Calendar events and meetings

    • Use case: Activity timeline analysis

    • Example: Mapping user schedules

Admin Consent Login Collectors

1. All Normal User Login Collectors

  • Includes access to all Normal User Login collectors with organization-wide scope

  • Applicable to any user in the organization

2. Administrative Collectors

  • Entra Sign-In Collector

    • What it collects: User authentication logs

    • Use case: Security monitoring

    • Example: Detecting suspicious login attempts

  • Entra Directory Audit Collector

    • What it collects: Azure AD audit logs

    • Use case: Tracking administrative actions

    • Example: Monitoring permission changes

Key Differences Between Access Modes

Feature

Normal User Login

Admin Consent Login

Access Scope

Personal data only

Organization-wide data

Data Collection

Limited to authenticated user

All users and administrative data

Best For

Individual investigations

Enterprise-level investigations

Advantages

Simple, user-specific analysis

Complete visibility of organization data

Limitations

Cannot access other users' data

Requires admin credentials

Use Case Example

"I need to investigate my own email communications from last month."

"I need to investigate all email communications within the finance department."

PreviousAccessing Google WorkspaceNextTornado Troubleshooting & Feedback

Last updated