Hi everyone! I'm trying to get 'impossible travel' detection alerts working in our Microsoft 365 setup, which involves Entra ID and Defender, but I've hit a wall. So far, I've looked into the options and it looks like I can only configure this by creating custom KQL detection rules in Microsoft Defender.
I've tried several queries by simulating impossible travel sign-ins using a VPN, but nothing has triggered. I've even tweaked some queries and temporarily disabled country restrictions to test with spoofed IPs, but still no luck. I opened a support ticket with Microsoft, but I haven't received a clear answer yet.
So, I'm reaching out to see if anyone here has successfully set this up. Have you managed to get alerts triggered reliably? If you have a working KQL example or detection rule setup, could you share it? Also, are there any licensing or Defender configuration aspects I might have overlooked? Any help would be greatly appreciated!
3 Answers
Just a heads up, when you simulate impossible travel with a VPN, Microsoft uses more than just IP geo-location to determine the user's actual location. They incorporate data from endpoint APIs, including GPS and nearby Wi-Fi signals, to verify the authenticity of the login. What devices are you using for the tests?
Actually, to enable the impossible travel alerts, you'll need to set up conditional access in addition to creating those KQL rules. Ensure you're using sign-in risk/user risk as part of your context in that configuration.
To get the 'impossible travel' detection alerts working, it's essential to have the Entra P2 license. That's a requirement for the actual user risk detection related to impossible travel, so make sure you have that in place.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures