Level 2 Contributor

Strange logins listed under user in Azure AD logins

Hey all,


I've submitted a support request for this through the Azure portal, but its been way past the two hour window for a response.  Also had no luck finding answers in my research, so I turned to here.  Here's the issue, under one of our partner tenant users, I see logins like these below.

Office 365 Exchange Online
Not Applied

Quincy, Washington, US

Status Success Client app Other clients; IMAP


If you do "who is" on the IP, its a Microsoft Azure IP.  These logins happen at random times every night for the past two weeks.  I'm baffled by this, and have no idea what it is.  I'll most likely have the user reset their password just because of the uncertainity.  I haven't been able to find any documentation on possible background services/tasks that would be doing this.  What could this possibilly be?


Maybe a user accessing the mailbox from a virtual machine running in Azure?

The AzurAD Sign-In logs might contain more info on the device that has tried accessing, so this might give another clue.


I would also advice to do a password reset, you could maybe also try to use conditional access to restrict access from unkown locations. Or enable Identity Protection to trigger password reset when a risk is detected or credentials are leaked on the internnet (btw - baseline policy "end user protection" would also enable those identity protection features).

Kind regards, Janosch (OutOfOffice 8/12/22-9/5/22)
Receive consultations via Technical Presales and Deployment Services team