I'm relatively new to the world of IT and cybersecurity, and I often find myself looking into suspicious activities regarding user accounts at my organization. One thing I frequently encounter is sign-in logs along with alerts for impossible travels. I've heard that these alerts are usually not a big deal and that sign-ins from various countries might be harmless, but I lack a solid way to authenticate these alerts beyond the sign-in logs. Are Microsoft sign-in logs generally reliable? I understand that VPNs and mobile devices can mess with sign-in locations, so does that mean these logs aren't dependable? If they aren't, what other things should I be investigating if there aren't any follow-up alerts to determine if a user account has been compromised? I've already been checking for unusual email forwarding and possible phishing attempts, but I'm curious about any other recommendations you might have.
2 Answers
The impossible travel warnings aren't very reliable since the city-level IP data can be way off. However, country-level data is mostly trustworthy, and sure, VPNs can trigger these alerts, but they're just one of many layers of protection. If you're seeing logins from countries you don't expect, I'd definitely look into them further. Even though IPs might not be perfect, they usually give a close enough indication at the country level.
Microsoft’s logs are decent enough for a primary overview. In my team, we don’t allow logins from outside the country unless someone is explicitly traveling. This really cuts down on the fraudulent logins. Sure, VPNs are a thing, but that's just part of a layered defense approach. It's worth being wary of logins from regions you're not expecting.
That makes sense! How did you tackle any pushback when implementing that policy? I feel like getting everyone on board can be a challenge.
I totally get that! My organization has a constant turnover of end users, mostly students who may not always communicate with us well. It's a delicate balance since leadership is hesitant to block logins from other countries, especially with VPNs being common. Did your organization always have that policy in place, or did you see it evolve over time?