Reply
Dsonnier
Level 2 Contributor
‎08-13-2019 10:34 AM
Level 2 Contributor
‎08-13-2019 10:34 AM

Strange logins listed under user in Azure AD logins

Hey all,

 

I've submitted a support request for this through the Azure portal, but its been way past the two hour window for a response.  Also had no luck finding answers in my research, so I turned to here.  Here's the issue, under one of our partner tenant users, I see logins like these below.

Office 365 Exchange Online
Success
52.183.9.241
Not Applied

Quincy, Washington, US

Status Success Client app Other clients; IMAP

 

If you do "who is" on the IP, its a Microsoft Azure IP.  These logins happen at random times every night for the past two weeks.  I'm baffled by this, and have no idea what it is.  I'll most likely have the user reset their password just because of the uncertainity.  I haven't been able to find any documentation on possible background services/tasks that would be doing this.  What could this possibilly be?

Labels:
0 Kudos
1 REPLY 1
JanoschUlmer
Microsoft
‎08-14-2019 01:30 AM
Microsoft
‎08-14-2019 01:30 AM

Maybe a user accessing the mailbox from a virtual machine running in Azure?

The AzurAD Sign-In logs might contain more info on the device that has tried accessing, so this might give another clue.

 

I would also advice to do a password reset, you could maybe also try to use conditional access to restrict access from unkown locations. Or enable Identity Protection to trigger password reset when a risk is detected or credentials are leaked on the internnet (btw - baseline policy "end user protection" would also enable those identity protection features).

Kind regards,
Janosch
Get consultations form Technical Presales & Deployment services team via https://aka.ms/technicalservices
Follow Us
    Share