SOLVED
Home

Service account with weird travel habits

%3CLINGO-SUB%20id%3D%22lingo-sub-1093785%22%20slang%3D%22en-US%22%3EService%20account%20with%20weird%20travel%20habits%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1093785%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20a%20service%20account%20used%20by%20an%20application.%20Our%20data%20center%20is%20in%20West%20Europe%2C%20and%20I%20would%20expect%20all%20logins%20by%20the%20service%20account%20to%20occur%20from%20there%2C%20so%20I%20am%20puzzled%20why%20I%20receive%20email%20alerts%20about%20%22User%20at%20risk%22%20showing%20that%20the%20service%20account%20logs%20in%20from%20different%20places%20around%20the%20world%3A%20Hong%20Kong%2C%20Istanbul%2C%20Sao%20Paulo%20etc.%20Before%20I%20panic%2C%20I%20want%20to%20hear%20if%20the%20behavior%20can%20be%20explained%20as%20being%20innocent%20and%20normal%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1093785%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1095053%22%20slang%3D%22en-US%22%3ERe%3A%20Service%20account%20with%20weird%20travel%20habits%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1095053%22%20slang%3D%22en-US%22%3E%3CP%3EHello!%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F28745%22%20target%3D%22_blank%22%3E%40Jakob%20Rohde%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20really%20depends%20on%20what%20resorces%20the%20service%20account%20is%20used%20for.%3C%2FP%3E%3CP%3EIs%20it%20used%20for%20any%20other%20SaaS%20apps%20other%20than%20Microsoft%2C%20that%20could%20have%20their%20resources%20in%20these%20locations%3F%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20IP%20Addresses%2C%20that%20are%20logged%20from%20these%20locations%2C%20are%20they%20familiar%20to%20you%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20isn't%20usual%20behavior%20from%20my%20experience%2C%20if%20you%20dont%2C%20like%20I%20said%20earlier%2C%20have%20worloads%20that%20could%20be%20located%20in%20these%20areas.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20suggest%20doing%20some%20more%20investigation%20on%20the%20IP%20addresses%20used%2C%20and%20also%20change%20the%20Password%20(%20if%20it's%20not%20to%20much%20of%20a%20hassle%20for%20you%20)%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Regards%3CBR%20%2F%3EOliwer%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

We have a service account used by an application. Our data center is in West Europe, and I would expect all logins by the service account to occur from there, so I am puzzled why I receive email alerts about "User at risk" showing that the service account logs in from different places around the world: Hong Kong, Istanbul, Sao Paulo etc. Before I panic, I want to hear if the behavior can be explained as being innocent and normal?

1 Reply
Solution

Hello!@Jakob Rohde 

 

That really depends on what resorces the service account is used for.

Is it used for any other SaaS apps other than Microsoft, that could have their resources in these locations? 

The IP Addresses, that are logged from these locations, are they familiar to you? 

 

This isn't usual behavior from my experience, if you dont, like I said earlier, have worloads that could be located in these areas. 

 

I suggest doing some more investigation on the IP addresses used, and also change the Password ( if it's not to much of a hassle for you ) 

 

Kind Regards
Oliwer