Account compromise false positives

%3CLINGO-SUB%20id%3D%22lingo-sub-278852%22%20slang%3D%22en-US%22%3EAccount%20compromise%20false%20positives%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278852%22%20slang%3D%22en-US%22%3EIn%20its%20default%20state%2C%20the%20constant%20stream%20of%20AzureAD%20firing%20%E2%80%9Crisk%20events%E2%80%9D%20is%20overwhelming..%3CBR%20%2F%3E%3CBR%20%2F%3EI%20regularly%20see%20a%20logon%20in%20a%20valid%20country%20with%20other%20mailbox%20activity%20from%20another%20country%2C%20without%20a%20corresponding%20%E2%80%9CLog%20On%E2%80%9D%20event%20for%20that%20user%20in%20that%20country.%3CBR%20%2F%3E%3CBR%20%2F%3ECould%20this%20be%20due%20to%20some%20of%20our%20tenant%20data%20centre%20is%20in%20country%20A%2C%20and%20some%20in%20Country%20B%2CC%2CD%20depending%20on%20where%20the%20user%20primary%20location%20is%3F%20Ps.%20We%20have%20valid%20users%20all%20over%20the%20globe%20in%20a%20single%20tenant.%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20it%20safe%20to%20ignore%20activity%20for%20an%20account%20in%20a%20%E2%80%9Cstrange%E2%80%9D%20or%20even%20just%20from%20an%20other%20country%20to%20the%20users%20residence%2C%20if%20there%20is%20no%20Log%20On%20event%20recorded%20for%20that%20user%20from%20that%20%E2%80%9Cother%E2%80%9D%20country..%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-279316%22%20slang%3D%22en-US%22%3ERe%3A%20Account%20compromise%20false%20positives%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-279316%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20depends%2C%20I%20do%20tend%20to%20see%20some%20%22Microsoft%22%20IPs%20reported%20there%2C%20but%20overall%20they're%20getting%20better%20in%20filtering%20those%20out.%20In%20any%20case%20I%20would%20suggest%20you%20properly%20investigate%20those%2C%20and%20if%20you%20have%20any%20suspicions%2C%20contact%20support%20and%20have%20them%20confirm%20whether%20those%20are%20%22known%22%20IPs.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor
In its default state, the constant stream of AzureAD firing “risk events” is overwhelming..

I regularly see a logon in a valid country with other mailbox activity from another country, without a corresponding “Log On” event for that user in that country.

Could this be due to some of our tenant data centre is in country A, and some in Country B,C,D depending on where the user primary location is? Ps. We have valid users all over the globe in a single tenant.

Is it safe to ignore activity for an account in a “strange” or even just from an other country to the users residence, if there is no Log On event recorded for that user from that “other” country..?
1 Reply

It depends, I do tend to see some "Microsoft" IPs reported there, but overall they're getting better in filtering those out. In any case I would suggest you properly investigate those, and if you have any suspicions, contact support and have them confirm whether those are "known" IPs.