Forum Discussion

casualbob's avatar
casualbob
Copper Contributor
Jan 30, 2020

Why are Microsoft Data Centres logging in to my Office 365 accounts? Activity Alerts - BAV2ROPC

Hello, I have an activity alert set up to email me whenever a log in is detected from one of my 12 office 365 email users. These emails contain the username logging in and the IP address the log in o...
alerts
office 365
security
casualbob's avatar
casualbob
Copper Contributor
Apr 02, 2020

BdCvC 

 

Cheers BdCvC,

 

I have encountered these IPs and started ignorning them too. Added in case it helps anyone else.

 

Dublin Ireland
40.101.42.173
40.101.96.101
52.97.140.37
52.97.140.45
40.101.102.149

 

Vienna Austria
148.252.129.195
40.101.71.61
52.97.141.213

 

Amsterdam Holland
52.97.140.181
40.101.88.221
52.97.139.61
52.97.135.157
52.97.141.45
40.101.90.85

BdCvC's avatar
BdCvC
Copper Contributor
Sep 08, 2020

casualbob 

I am monitoring the audit logs of a few dozen Tenants via PowerShell and see ISP = Microsoft coming from more and more locations (as MS is implementing more IP's in their Data Centers). I have excluded Microsoft* ISP's from my Alerts, as these are likely just password hackers and the logs interpret/file them as successful Logins, in stead as Attempts.

If they were truly actual logins, we would not be in business anymore 🙂

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

We trap many real password breaches (users are users) this way (MFA seems too expensive here), but none were ever related to ROPC instances.

Hope that helps, not a factual conclusion, just an interpretation of what we are experiencing.

Resources