Strange new logins.

Brass Contributor

Recently in AzureAD logs I have started to see attempted logins to various users across my organisation.  They all seem to have similar conditions such as:


1. Even though they are physically in Australia the logins occur from IP's in the UK e.g some IP's seen are (Hounslow, Greater London, GB) and (Needham Market, Suffolk, GB)

2. They are all showing in device info as "Azure AD registered"

3. Application identified as "Universal Store Native Client"

4. Resource identified as "Windows Store for Business"


Sometime they also have the following:


1. Same IP as the traffic for Application identified as "Universal Store Native Client" but

2. Application identified as "Microsoft Application Command Service"

3. Resource identified as "Microsoft Activity Feed Service"


Now I can understand if maybe these are some kind of background services attempting to access MS resources and are suing the Login for the Office tenancy but why are they coming from an IP in the UK when I know the person is in Australia at the time.  Is Windows tunneling certain traffic?  What is going on????

3 Replies
I haven't seen anything about Windows tunneling traffic. Are you certain that person hasn't gotten a computer that might be used by family that is syncing in the background?

As per my experience regarding similar alert is, I check if we have Azure data centers in respective regions which might be assigning IPs from there. You may want to look from that angle. @lfkentwell. Do let me know if you have any further leads.  

Just check if the user are using any kind of VPN or connecting via Jump Box . For an example If I log in to my portal from my laptop based in India the portal will show India location but If i connect to some jump box in US and log from there it will show log in from US location
Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.