Atypical Travel / Unfamiliar sign-in properties

xjt910 46 Reputation points
2022-03-11T13:54:00.26+00:00

Hi

I get a few atypical travel / unfamiliar sign-in properties incidents from time to time, where privileged users sign in from the same IP (52.98.175.181, Amsterdam, Noord-Holland) owned by Microsoft. I dismiss these as false-positives, but I'm curious why this happens. I get the atypical travel part, but it happens quite often, so I wonder why it keeps triggering the unfamiliar sign-in properties policy.

I hope the question makes sense, thanks in advance!

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Sentinel
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
    2022-03-14T07:15:16.577+00:00

    @xjt910 Thank you for reaching out to us.

    Regarding your query "frequent atypical travel alerts" for privileged accounts.

    This risk detection identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. Among several other factors, this machine learning algorithm takes into account the time between the two sign-ins.

    The algorithm ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user's sign-in behavior.

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#:~:text=The%20algorithm%20ignores,sign%2Din%20behavior.

    Let me know if you have any questions on it.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.