![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 11%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELS%3C/text%3E%3C/svg%3E)
66 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello Lou S,
It's important to act promptly to protect your environment when you come across a suspect IP in Entra ID.
You can access sign-in logs through the Azure portal to see if there are any unusual or failed login attempts from that IP address. Concept-sign-ins Look for signs such as:
High frequency of failed logins
Login attempts from unusual locations or countries
Logins during odd hours
This can help you understand whether this IP is involved in suspicious activities, such as brute-force attacks or unauthorized access.
Ensure that your Conditional Access policies are properly configured to restrict access based on factors like location, device, or user risk. You can block certain IP ranges or enforce multi-factor authentication (MFA) for logins coming from high-risk locations. https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network also as an additional step to Conditional Access, configure Geo-IP filtering, either on your firewall or through a cloud service, to automatically block traffic originating from geographical areas that are not pertinent to your business operations.
You can configure to Block a range of IP addresses. To allow the access to configure the trusted IP addresses.
If MFA isn't already enforced, enable it for all users, especially for those accessing sensitive applications. This can help protect against unauthorized access, even if the login attempt comes from a suspicious IP. https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk
If the IP address is confirmed to be malicious or suspicious, you can block it by setting up Azure AD Identity Protection or by manually blocking the IP through Firewall or Networking tools.
Look for activities like password changes, application access, or changes in permissions that the user wouldn't normally perform.
Reset passwords and force a re-authentication for affected users.
The other side I suggest you to continuously monitor security logs and alerts to quickly detect and respond to suspicious activities.
Educate your users about phishing and other social engineering attacks and encourage them not to click on suspicious links or download unverified attachments.
I hope this clarifies things.
Please remember to "Accept Answer", so that others in the community facing similar issues can easily find the answers. let me know in comment section if you have any questions.