Microsoft account activity history feature is now online!


I am breaking silence after a long pause. I have not had much information to share here as I have mostly worked on infrastructure services with no customer facing surface. Since 2011, I have been working in Microsoft account, the authentication service that powers most of Microsoft’s services. Today we rolled out a new security feature that I think many will find very useful in keeping an eye on their accounts for detecting unauthorized access – the account activity history page.

 

The activity history page can be accessed by going to account.live.com, signing in, and then selecting the Recent activity option. It will display details about your most recent activity and you can check that activity up to a month back in time (see http://www.microsoft.com/en-us/account/security/recentactivity.aspx for a detailed explanation of the content). If you have a secondary type of proof on your account, it will be used for granting access to the page, as it contains potentially sensitive information about your whereabouts, so you should consider setting up such proof if you do not have one set already. If you see unauthorized successful activity, you can also report it and we will take you through some steps to strengthen the security of your account. Note that some activity may appear to come from a different location than you expect simply due to how mobile devices grab IP addresses – this is why you should check the additional details about the source of the authentication. Right now, older activity entries may have these marked as Unknown because such information only started being stored as the feature was rolled out – such instances are expected at this point and should not raise a red flag.

 

Let me take this opportunity to also recommend pairing your Microsoft account with an authenticator app. This can be done again by visiting account.live.com and navigating to the Security info page under Overview. To pair the authenticator app with your Microsoft account, just follow the instructions in the Authenticator app section of the page – it is a quite simple process. The Microsoft Authenticator app for Windows Phone is available here: http://www.windowsphone.com/en-us/store/app/authenticator/e7994dbc-2336-4950-91ba-ca22d653759b. If you have a different phone, you should be able to use a compatible authenticator app like the Google Authenticator. A tip for Microsoft Authenticator – if you want to copy-paste a code, just touch it and hold until an option appears to do so.

 

Finally, let me link to another post that touches on other features rolled out at the same time as the activity history page:

http://blogs.technet.com/b/microsoft_blog/archive/2013/12/09/new-security-features-added-to-microsoft-accounts.aspx

[UPDATE 2013/12/12]: I just realized I pasted the wrong link at the end of this post – just fixed.

Comments (18)

  1. JB says:

    I was unaware of authenticator apps.  I just my various accounts and devices with them.  Thanks for the info!

  2. Craig says:

    Great information here.  Thanks!  Can this information be downloaded to a csv type file?  smartphones login each time it checks for mail so could be every 5 minutes.  Makes it really tough to look for anomalies.

  3. We are aware of the challenge of dealing with a lot of authentication information and we are looking into several approaches that would help with that problem for the next iterations of this page. I'll pass on your feedback to the feature team. Thank you!

  4. Vítor Pombeiro says:

    Hi, this is great information to check if there are someone using my account. I've to say that the translation to Portuguese the page as an error, on the page I've "amanhã" with in English is "tomorrow". Instead of "amanhã" it should be "ontem", I know you guys are great but I have my doubts that you know the future. 🙂

  5. Thank you for your report, Vitor!

  6. Craig says:

    Laurentiu, Thanks for the reply.  We are doing an investigation for a client right now.  Is there a way to formally make an ad hoc request this information to be put into a CSV?

  7. Craig says:

    Laurentiu, I need to add to my previous couple of message some comments.

    1. This account averages 366 sign-in's per day.

    2. Due to the security requiring me to re-enter my password every ?? minutes, I can't get the activity back 30 days.  Every time I re-enter the password I have to start over on where I was with showing more activity and I have little to know time to research any of older than 10 days.

    3. Having all the information in columns instead of having to expand each item would be extremely helpful.

    Any assistance would be greatly appreciated.  Craig.

  8. Unfortunately, today there is no online process for making the activity data available in a different form. In time, we will provide more tools to help with its analysis.

    But what exactly are you trying to accomplish. You are asking me about a specific solution, but you have not described the problem. There may be alternate solutions available.

  9. CraigBer34 says:

    Laurentiu, basically the account has been compromised and we are trying to identify who it is to support some legal claims.  We have a very good idea who it is but need to identify dates, times, IP,  Device/platform, and Browser/app.  This will help support our position when it is presented to the judge for further investigation.

  10. Sounds like you need to contact customer support for help with this issue. You can start that process here:

    windows.microsoft.com/…/id-support

  11. aprilbacon@hotmail.com says:

    Is there a way to access my activity record for October and November.  I was hacked into them abd I wanted to go back and check the location.  I checked the activity log back then and saw the hacking.  Now I want to show to police evidence of hacking after identity theft/fraud instance.

  12. The activity history page cannot display data older than a month because it is backed by a store that deletes entries older than one month (30 days to be precise). The feature is basically not built for auditing the activity of an account, but to help account owners check recent activity and to unblock recently blocked activity. I know it is too late to do that now, but you should have taken a screenshot of the information while you had access to it. We don't keep those records for more than 30 days. You may want to also contact customer support at the link I provided in the previous comment and see if they can give you any other guidance.

  13. gloptrattoria says:

    Hello Laurentiu, thanks for this great blog. Very useful.

    I hope you might help me with my question. I added a new email verification the other week and then I removed the phone number (I was changing provider the next day).

    Once I have deleted it does that mean Microsoft has also deleted it? The reason I ask is that in my Recent Account Activity page it still shows under "Account Security Info Deleted".

    Hope to hear from you…

  14. The way to check if a proof was deleted is to verify if it is still shown on the page from which you deleted it. If it doesn't, then it is no longer set as a proof and the deletion was successful. The Activity page will show the operation for the next month, after which time the activity record will expire and will be deleted – this record doesn't mean that the phone is still set as proof.

  15. gloptrattoria says:

    Hello Laurentiu.

    Thanks for your reply. So does a successful deletion mean that the old phone number is no longer attached to the account at all? I have heard that google, for example, actually still associate your old phone numbers and emails with an account, which is obviously a privacy issue.

    Thank you

  16. I already answered earlier – I am not sure what else to add to that except perhaps explain why it doesn't make sense to do otherwise.

    Phone numbers are associated with accounts for security reasons, so you can receive security codes by text/voice and use them to prove ownership of the account, or to receive notifications about suspicious account activity.

    Beyond being a privacy issue, it would be a security issue to still keep the number associated with the account when it may no longer be your number anymore. The association with the account is removed immediately. The record of the action will still be seen for 30 days in Activity (we show the addition and the deletion so you can monitor if someone else is doing these operations on your account), but the association is removed as soon as the deletion is done. We don't keep track of phone numbers formerly associated with accounts either.

    You also don't even have to provide us with a phone number if you set up an identity verification app and use that instead. See details here: windows.microsoft.com/…/identity-verification-apps-faq

    As for what google does, you would have to inquire with them, but I doubt they would keep associations around when you asked for their deletion.

  17. Shiv says:

    Hi, i have a question.
    Is it possible to view activities older than a month ? This information that i am looking for is really important. Someone tried to access my email by resetting my password and adding his phone number to my mail. This is a matter of hospital secrecy, there is a case filed against the person and i am sure that i saw his number added to my account. The problem is that is happened in November, so i am looking for a way to view those activities to present it as evidence in court.

    Please, if anyone has any information about how i can get to see those activities you can contact me on ddont4judge@gmail.com .

    Thank you..

    1. The activity history feature cannot display data older than 30 days. This feature is backed by storage that only tracks the last 30 days of activity. Any activity that is older than 30 days is automatically deleted from this storage.

      The activity history feature was not meant as an auditing log that can go back over several months. It was meant to help account owners monitor their accounts to detect recent unauthorized access. If anything suspicious is noticed and you would like to keep a record of it, you should take a screenshot of the page, because the activity record will be deleted after 30 days.

      For your scenario, you should contact our customer support and request access to your account’s logs. You can start here:
      https://privacy.microsoft.com/en-us/privacystatement/
      Select “How to Access & Control Your Personal Data”, then “Learn More”, and you will see a paragraph providing a web form contact link. Here’s the link:
      https://privacy.microsoft.com/en-US/privacy-questions?ln=EN-US
      Use this to describe your scenario and ask for support.

Skip to main content