Account compromise false positives

AndrewX · ‎Oct 27 2018

In its default state, the constant stream of AzureAD firing “risk events” is overwhelming..

I regularly see a logon in a valid country with other mailbox activity from another country, without a corresponding “Log On” event for that user in that country.

Could this be due to some of our tenant data centre is in country A, and some in Country B,C,D depending on where the user primary location is? Ps. We have valid users all over the globe in a single tenant.

Is it safe to ignore activity for an account in a “strange” or even just from an other country to the users residence, if there is no Log On event recorded for that user from that “other” country..?

Vasil Michev · ‎Oct 29 2018

It depends, I do tend to see some "Microsoft" IPs reported there, but overall they're getting better in filtering those out. In any case I would suggest you properly investigate those, and if you have any suspicions, contact support and have them confirm whether those are "known" IPs.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Account compromise false positives

Account compromise false positives

Re: Account compromise false positives