Authenticator App Logs used for IPv6/GPS Location Conditional Access Policy

Question

We are planning our CA policy for GPS location and have a few important questions around the use of the authenticator app.

It directs for precise location to enabled. How accurate is precise location (meters, kilometers etc.)

We have some test users scoped for this policy but what i noticed in Sentinel query ( a union of SigninLogs, AADNonInteractiveUsersSigninLogs ) is that the location returned for the user signin is that of the requesting app and not the autheticator app. Is that in some other location different from these 2?

I also found this bit on a site called Common questions about the MS authentictor app. This implies that it is not stored. Can anyone confirm this?
Q: How is my location information used and stored?

A: The Authenticator app collects your GPS information to determine what country you are located in. The country name and location coordinates are sent back to the system to determine if you are allowed to access the protected resource. The country name is stored and reported back to your IT admin, but your actual coordinates are never saved or stored on Microsoft servers.

Answer 1

Its not super precise. Its really where the IP address of the ISP provider is located. So in my case, it shows a map of the broad area on the authenticator app that is really hundreds of miles square. The non-interactive sign-ins would most likely show more as the requesting app rather then the actual sign in logs which should be in the IP address of the user.

If that link you referenced: https://support.microsoft.com/en-us/account-billing/common-questions-about-the-microsoft-authenticator-app-12d283d1-bcef-4875-9ae5-ac360e2945dd

says they don't store the actual coordinates, then you can rest assure they don't. Microsoft has nothing to gain by lying about that :)