In its default state, the constant stream of AzureAD firing “risk events” is overwhelming..
I regularly see a logon in a valid country with other mailbox activity from another country, without a corresponding “Log On” event for that user in that country.
Could this be due to some of our tenant data centre is in country A, and some in Country B,C,D depending on where the user primary location is? Ps. We have valid users all over the globe in a single tenant.
Is it safe to ignore activity for an account in a “strange” or even just from an other country to the users residence, if there is no Log On event recorded for that user from that “other” country..?