IP addresses and Risky Login

%3CLINGO-SUB%20id%3D%22lingo-sub-461536%22%20slang%3D%22en-US%22%3EIP%20addresses%20and%20Risky%20Login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-461536%22%20slang%3D%22en-US%22%3EGood%20Morning%2C%20I%20am%20responsible%20for%20running%20Secure%20Score%20Reports%20for%20our%20clients.%20I%20was%20running%20down%20%22suspicious%22%20logins%20and%20when%20I%20reached%20out%20to%20our%20client's%20users%20asking%20if%20they%20were%20in%20XXX%20at%20YYY%20date%20and%20ZZZ%20time%2C%20I%20am%20generally%20being%20told%20they%20were%20not%20in%20that%20location.%20One%20user%20was%20in%20Jacksonville%20Florida%20and%20is%20showing%20IPs%20based%20out%20of%20Orlando%20and%20Mobile.%20I%20am%20at%20a%20loss%20in%20determining%20if%20these%20logins%20are%20legitimate%20or%20not.%20The%20information%20in%20the%20report%20indicates%20there%20was%20MFA.%20Is%20there%20a%20way%20to%20get%20a%20list%20of%20IP%20addresses%20that%20O365%2FAzure%20use%20for%20Multifactor%20Authentication%3F%20Please%20advise%20and%20thank%20you!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-462100%22%20slang%3D%22en-US%22%3ERe%3A%20IP%20addresses%20and%20Risky%20Login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-462100%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20know%20that%20IP-based%20geolocation%20is%20hardly%20an%20exact%20science%2C%20right%3F%20The%20IP%20ranges%20should%20be%20included%20in%20the%20generic%20O365%20URLs%20and%20IP%20ranges%20article%2C%20they%20are%20the%20*.phonefactor.com%20ones.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-462180%22%20slang%3D%22en-US%22%3ERe%3A%20IP%20addresses%20and%20Risky%20Login%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-462180%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20Afternoon%20Vasil%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20it%20isn't%20an%20exact%20science%2C%20I%20am%20just%20wanting%20to%20verify%20these%20IPs%20are%20MFA%20and%20not%20something%20nefarious.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELeigh%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor
Good Morning, I am responsible for running Secure Score Reports for our clients. I was running down "suspicious" logins and when I reached out to our client's users asking if they were in XXX at YYY date and ZZZ time, I am generally being told they were not in that location. One user was in Jacksonville Florida and is showing IPs based out of Orlando and Mobile. I am at a loss in determining if these logins are legitimate or not. The information in the report indicates there was MFA. Is there a way to get a list of IP addresses that O365/Azure use for Multifactor Authentication? Please advise and thank you!
2 Replies

You know that IP-based geolocation is hardly an exact science, right? The IP ranges should be included in the generic O365 URLs and IP ranges article, they are the *.phonefactor.com ones.

Good Afternoon Vasil,

 

I know it isn't an exact science, I am just wanting to verify these IPs are MFA and not something nefarious.

 

Leigh