Forum Discussion
CAS Impossible Travel Alerts
I would like to ask you some suggestion on: How do you handle Impossible Travels Alerts ? How do you verify alert by alert if is a false positive or if actually is something that you should worry ...
TcMcInnis Another good addition would be adding a block countries list (from Azure AD- Security-Named locations) add those countries that you don't have business with and then create a conditional access policy to block access. This way, even for some reason the user credentials are compromised, the attacker won't get access to any of the resources. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location
Have a look at the user agent for the two sign-in events, if they are the same then there is a good chance it is benign activity and the person is using a VPN, if not then it may require more investigation. If you are using MFA everywhere then sometimes it is worth revoking their token to enforce another sign on to confirm. Actions -> require user to sign back in