Test Impossible Travel Alert

%3CLINGO-SUB%20id%3D%22lingo-sub-3356365%22%20slang%3D%22en-US%22%3ETest%20Impossible%20Travel%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3356365%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20there%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20test%20the%20Impossible%20Travel%20Alert%20in%20the%20Microsoft%20Defender%20for%20Cloud%20Apps.%3C%2FP%3E%3CP%3EFor%20that%2C%20I%20use%20the%20NordVPN%20to%20login%20from%202%20different%20Countries%20and%20to%20generate%20the%20Impossible%20Travel.%20Somehow%2C%20no%20Impossible%20Travel%20Alert%20is%20generated.%20I%20just%20get%20the%20alert%20%22Risky%20sign-in%3A%20Anonymous%20IP%20adress%22.%20Could%20it%20be%2C%20that%20this%20is%20because%20I%20use%20NordVPN%20and%20that%20the%20Impossible%20Travel%20Alert%20gets%20surpressed%20by%20the%20Risky%20sign-in%20Alert%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20Help%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3356365%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAlert%20Policies%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eanomaly%20detection%20policy%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3356942%22%20slang%3D%22en-US%22%3ERe%3A%20Test%20Impossible%20Travel%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3356942%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1376816%22%20target%3D%22_blank%22%3E%40malvinportner%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20should%20work.%20What%20license%20do%20you%20have%3F%20Premium%20p2%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3362647%22%20slang%3D%22en-US%22%3ERe%3A%20Test%20Impossible%20Travel%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3362647%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20it's%20an%20Azure%20Premium%20p2.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20it%20be%2C%20because%20the%20policy%20was%20edited%20less%20than%207%20Days%20ago%20(Microsoft%20says%20the%20policy%20needs%207%20days%20to%20%22learn%22%20before%20alerts%20are%20generated)%3F%20The%20Policy%20was%20activated%20way%20earlier.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3363412%22%20slang%3D%22en-US%22%3ERe%3A%20Test%20Impossible%20Travel%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3363412%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1376816%22%20target%3D%22_blank%22%3E%40malvinportner%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%20Malvin%2C%3CBR%20%2F%3ETry%20to%20create%20a%20VM%20on%20Azure%20in%20Australia%2C%20for%20example%20(if%20you%20are%20not%20in%20Australia)%2C%20and%20log%20into%20Microsft365%20from%20this%20VM.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProbably%20it%20detects%20the%20VPN%20you%20use%3A%3CBR%20%2F%3E%22To%20make%20this%20work%2C%20the%20detection%20logic%20includes%20different%20levels%20of%20suppression%20to%20address%20scenarios%20that%20can%20trigger%20false%20positive%2C%20%3CSTRONG%3Esuch%20as%20VPN%20activities%3C%2FSTRONG%3E%2C%20or%20activity%20from%20cloud%20providers%20that%20don't%20indicate%20a%20physical%20location.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20title%3D%22Impossible%20travel%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-cloud-apps%2Fanomaly-detection-policy%23%3A~%3Atext%3Dpolicies%2520are%2520available%253A-%2CImpossible%2520travel%2C-This%2520detection%2520identifies%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EImpossible%20travel%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello there

 

I am trying to test the Impossible Travel Alert in the Microsoft Defender for Cloud Apps.

For that, I use the NordVPN to login from 2 different Countries and to generate the Impossible Travel. Somehow, no Impossible Travel Alert is generated. I just get the alert "Risky sign-in: Anonymous IP adress". Could it be, that this is because I use NordVPN and that the Impossible Travel Alert gets surpressed by the Risky sign-in Alert?

 

Thanks for your Help

3 Replies

Hi @malvinportner ,

 

It should work. What license do you have? Premium p2?

Yes, it's an Azure Premium p2.

 

Could it be, because the policy was edited less than 7 Days ago (Microsoft says the policy needs 7 days to "learn" before alerts are generated)? The Policy was activated way earlier.

@malvinportner 

Hello Malvin,
Try to create a VM on Azure in Australia, for example (if you are not in Australia), and log into Microsft365 from this VM.

 

Probably it detects the VPN you use:
"To make this work, the detection logic includes different levels of suppression to address scenarios that can trigger false positive, such as VPN activities, or activity from cloud providers that don't indicate a physical location."

 

Impossible travel