To adhere to customer requirements I'm trying to find a solution that will allow me to correlate security account management events to the originating client IP address that initiated the request i.e. failed/successful logons, account creations/deletions/modifications, etc.
Windows Server 2012 R2 domain in Azure
1. Internet Client initiates request
2. Claim sent to WAP server
3. Passed along to ADFS
4. Then to SAML or AD for authentication
5. If authenticated then off to internal resources
Does the Client IP address in step 1 get stored anywhere, on WAP, on ADFS, in AD?? If it does, I have not been able to figure it out. I've enabled all sorts of logging including in ADFS, IIS, AD, etc. I get logs but no IP.
At the end of the day, what I am doing is using Operational Insights to monitor the events, but I need to be able to report the associated IP address of the source.