Forum Discussion
MCAS - Location Field
What determines the location shown in MCAS for Office 365 logs other than users utilizing a VPN service on their devices? I'm seeing too many users having connections from different locations within 30 mins to an hour usually using Exchange and Sharepoint Online and this creates a lot of false positive Impossible Travel Activity alerts. How does CAS or Office 365 resolve these locations?
3 Replies
AleA79It's been hard for us as well specially when you've got global locations. I've only been able to reproduce and catch those that are using VPN to anonymize their IP and those that uses our Site-to-Site VPN. I also observed different behaviors when users connect to their OneDrive and results are very inconsistent. I go through them one by one but I try to focus on those unknown connections that generated a lot of suspicious events. I've noticed some IP Addresses are incorrectly resolved which led me to this question years ago. I'm still experiencing inaccuracy from time to time just like yesterday when an IP Address was resolved to be coming from Germany but it was actually coming from Zimbabwe. I'm still testing and observing these events. We've come across some True Positives over the years and have since utilized MFA in most locations to at least lessen our worries when we get overwhelmed with the number of Impossible Travel Activities that comes in. I can't be much help now but I will post here if I discovered anything that can substantially help the community.
