IP addresses and Risky Login

Copper Contributor
Good Morning, I am responsible for running Secure Score Reports for our clients. I was running down "suspicious" logins and when I reached out to our client's users asking if they were in XXX at YYY date and ZZZ time, I am generally being told they were not in that location. One user was in Jacksonville Florida and is showing IPs based out of Orlando and Mobile. I am at a loss in determining if these logins are legitimate or not. The information in the report indicates there was MFA. Is there a way to get a list of IP addresses that O365/Azure use for Multifactor Authentication? Please advise and thank you!
2 Replies

You know that IP-based geolocation is hardly an exact science, right? The IP ranges should be included in the generic O365 URLs and IP ranges article, they are the *.phonefactor.com ones.

Good Afternoon Vasil,


I know it isn't an exact science, I am just wanting to verify these IPs are MFA and not something nefarious.