Describe the issue
FindFrontEndActivity.ps1
Version: 24.02.09.2324
When running the script as shown below, it does not find any entries in the HTTPProxy logs.
Get-ExchangeServer | .\FindFrontEndActivity.ps1 -SamAccountName e1901mbx -LatencyThreshold 1
Hybrid Modern Authentication is enabled in my environment which causes the AuthenticatedUser field to be populated with the users SID instead of their SamAccountName. Below is a sample request from my lab.
#Fields: DateTime,RequestId,MajorVersion,MinorVersion,BuildVersion,RevisionVersion,ClientRequestId,Protocol,UrlHost,UrlStem,ProtocolAction,AuthenticationType,IsAuthenticated,AuthenticatedUser
2025-12-03T23:45:49.962Z,7305f975-9dc3-4a40-a83b-d7999eb13765,15,2,1544,36,R:{6C319103-
6A5F-4ABC-A129-BBBB392101F7}:159;RT:Execute;CI:{704EFA91-E181-4A0B-86A9-4EEA14F6F81C}:109400046;CID:{7B277ABE-B1BE-40E7-AED4-079F7C31A8C8},Mapi,mail.logonzlab.com,/mapi/emsmdb/,,Bearer,tru
e,S-1-5-21-414624153-821473048-1506230998-9603,logonzlab.com,MailboxGuid~63d37936-1bf3-4152-9514-dc2ee4caf909,Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.19328; Pro),10.
97.83.12,E1901,200,200,,POST,Proxy,e1901.contoso.lab,15.02.1544.000,IntraForest,MailboxGuidWithDomain,Database~f6fbf29d-9cb4-48b9-a0c4-967e8da2c64f~~2026-01-02T23:44:48,,,42,113,,,10,0,,0,
,0,,0,0,,0,28,0,0,0,0,12,0,0,1,3,0,18,0,13,5,5,15,28,,?MailboxId=63d37936-1bf3-4152-9514-dc2ee4caf909@logonzlab.com,,BeginRequest=2025-12-03T23:45:49.934Z;CorrelationID=;ProxyState-
Run=None;FEAuth=BEVersion-1942128136;ActAsUserVerified=True;BeginGetRequestStream=2025-12-03T23:45:49.949Z;OnRequestStreamReady=2025-12-03T23:45:49.949Z;BeginGetResponse=2025-12-03T23:45:4
9.949Z;OnResponseReady=2025-12-03T23:45:49.961Z;EndGetResponse=2025-12-03T23:45:49.961Z;ProxyState-Complete=ProxyResponseData;SharedCacheGuard=0;EndRequest=2025-12-03T23:45:49.962Z;S:Servi
ceLatencyMetadata.AuthModuleLatency=10;S:ServiceCommonMetadata.OAuthExtraInfo=Category:V1AppActAs|ScenarioType:V1|AppId:d3590ed6-52b3-4102-aeff-aad2292ab01c|;S:ServiceCommonMetadata.OAuthL
atency=Parse:5|JwtSecurityTokenValidator:1|PermissionValidator:1|;I32:ADR.C[DC1]=1;F:ADR.AL[DC1]=1.9103;I32:ATE.C[DC1.contoso.lab]=2;F:ATE.AL[DC1.contoso.lab]=0;I32:ADS.C[DC1]=1;F:ADS.AL[D
C1]=1.9515,,,|RoutingDB:f6fbf29d-9cb4-48b9-a0c4-967e8da2c64f,,,CafeV1
Expected behavior
To support finding HTTPProxy logs related to specific users when Hybrid Modern Authentication is enabled.
Describe the issue
FindFrontEndActivity.ps1
Version: 24.02.09.2324
When running the script as shown below, it does not find any entries in the HTTPProxy logs.
Get-ExchangeServer | .\FindFrontEndActivity.ps1 -SamAccountName e1901mbx -LatencyThreshold 1Hybrid Modern Authentication is enabled in my environment which causes the AuthenticatedUser field to be populated with the users SID instead of their SamAccountName. Below is a sample request from my lab.
#Fields: DateTime,RequestId,MajorVersion,MinorVersion,BuildVersion,RevisionVersion,ClientRequestId,Protocol,UrlHost,UrlStem,ProtocolAction,AuthenticationType,IsAuthenticated,AuthenticatedUser
2025-12-03T23:45:49.962Z,7305f975-9dc3-4a40-a83b-d7999eb13765,15,2,1544,36,R:{6C319103-
6A5F-4ABC-A129-BBBB392101F7}:159;RT:Execute;CI:{704EFA91-E181-4A0B-86A9-4EEA14F6F81C}:109400046;CID:{7B277ABE-B1BE-40E7-AED4-079F7C31A8C8},Mapi,mail.logonzlab.com,/mapi/emsmdb/,,Bearer,tru
e,S-1-5-21-414624153-821473048-1506230998-9603,logonzlab.com,MailboxGuid~63d37936-1bf3-4152-9514-dc2ee4caf909,Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.19328; Pro),10.
97.83.12,E1901,200,200,,POST,Proxy,e1901.contoso.lab,15.02.1544.000,IntraForest,MailboxGuidWithDomain,Database~f6fbf29d-9cb4-48b9-a0c4-967e8da2c64f~~2026-01-02T23:44:48,,,42,113,,,10,0,,0,
,0,,0,0,,0,28,0,0,0,0,12,0,0,1,3,0,18,0,13,5,5,15,28,,?MailboxId=63d37936-1bf3-4152-9514-dc2ee4caf909@logonzlab.com,,BeginRequest=2025-12-03T23:45:49.934Z;CorrelationID=;ProxyState-
Run=None;FEAuth=BEVersion-1942128136;ActAsUserVerified=True;BeginGetRequestStream=2025-12-03T23:45:49.949Z;OnRequestStreamReady=2025-12-03T23:45:49.949Z;BeginGetResponse=2025-12-03T23:45:4
9.949Z;OnResponseReady=2025-12-03T23:45:49.961Z;EndGetResponse=2025-12-03T23:45:49.961Z;ProxyState-Complete=ProxyResponseData;SharedCacheGuard=0;EndRequest=2025-12-03T23:45:49.962Z;S:Servi
ceLatencyMetadata.AuthModuleLatency=10;S:ServiceCommonMetadata.OAuthExtraInfo=Category:V1AppActAs|ScenarioType:V1|AppId:d3590ed6-52b3-4102-aeff-aad2292ab01c|;S:ServiceCommonMetadata.OAuthL
atency=Parse:5|JwtSecurityTokenValidator:1|PermissionValidator:1|;I32:ADR.C[DC1]=1;F:ADR.AL[DC1]=1.9103;I32:ATE.C[DC1.contoso.lab]=2;F:ATE.AL[DC1.contoso.lab]=0;I32:ADS.C[DC1]=1;F:ADS.AL[D
C1]=1.9515,,,|RoutingDB:f6fbf29d-9cb4-48b9-a0c4-967e8da2c64f,,,CafeV1
Expected behavior
To support finding HTTPProxy logs related to specific users when Hybrid Modern Authentication is enabled.