May 11 2022 02:34 AM
Hello there
I am trying to test the Impossible Travel Alert in the Microsoft Defender for Cloud Apps.
For that, I use the NordVPN to login from 2 different Countries and to generate the Impossible Travel. Somehow, no Impossible Travel Alert is generated. I just get the alert "Risky sign-in: Anonymous IP adress". Could it be, that this is because I use NordVPN and that the Impossible Travel Alert gets surpressed by the Risky sign-in Alert?
Thanks for your Help
May 11 2022 04:08 AM
May 11 2022 11:45 PM - edited May 12 2022 12:56 AM
Yes, it's an Azure Premium p2.
Could it be, because the policy was edited less than 7 Days ago (Microsoft says the policy needs 7 days to "learn" before alerts are generated)? The Policy was activated way earlier.
May 12 2022 01:56 AM
Hello Malvin,
Try to create a VM on Azure in Australia, for example (if you are not in Australia), and log into Microsft365 from this VM.
Probably it detects the VPN you use:
"To make this work, the detection logic includes different levels of suppression to address scenarios that can trigger false positive, such as VPN activities, or activity from cloud providers that don't indicate a physical location."
Aug 31 2022 09:13 PM
I've used the 'OpenVPN' to test this scenario successfully with a user that has a proper sign-in history. With this specific detection rule, MDA documentation highlights the learning period: 'The detection has an initial learning period of seven days during which it learns a new user's activity pattern.'
Take these ones also into account when testing:
Create anomaly detection policies in Defender for Cloud Apps | Microsoft Docs
Feb 14 2024 11:03 AM
@malvinportner, the 7-day detection policy learning period is likely still in progress after the recent edit. Give it the full duration. Also, NordVPN is probably obscuring the location change that would signal impossible travel.
Try logging in from physically distant spots without routing through a VPN. Remember that only one login location may be designated high-risk, while alerts require risky access at both endpoints. Verify country-level locations are both unsafe. If after 7 days and logins from clearly different non-VPN locations don't trigger alerts, some policy configuration adjustments may be needed.