Feedback & Support Discussions

Dsonnier · ‎08-13-2019

Hey all,

I've submitted a support request for this through the Azure portal, but its been way past the two hour window for a response. Also had no luck finding answers in my research, so I turned to here. Here's the issue, under one of our partner tenant users, I see logins like these below.

Office 365 Exchange Online

Success

52.183.9.241

Not Applied

Quincy, Washington, US

Status Success Client app Other clients; IMAP

If you do "who is" on the IP, its a Microsoft Azure IP. These logins happen at random times every night for the past two weeks. I'm baffled by this, and have no idea what it is. I'll most likely have the user reset their password just because of the uncertainity. I haven't been able to find any documentation on possible background services/tasks that would be doing this. What could this possibilly be?

JanoschUlmer · ‎08-14-2019

Maybe a user accessing the mailbox from a virtual machine running in Azure?

The AzurAD Sign-In logs might contain more info on the device that has tried accessing, so this might give another clue.

I would also advice to do a password reset, you could maybe also try to use conditional access to restrict access from unkown locations. Or enable Identity Protection to trigger password reset when a risk is detected or credentials are leaked on the internnet (btw - baseline policy "end user protection" would also enable those identity protection features).

Kind regards, Janosch
Receive consultations via Technical Presales and Deployment Services team

Feedback & Support Discussions

Strange logins listed under user in Azure AD logins

Product and Services

Emerging Technologies

Developer & IT

Partner

Industries

Other