Hi @IBN ,
I searched the audit logs at my end and also noticed that there are some "Accessed file" activities with IP addresses pointing to Microsoft.
Per my research, this could be expected as for some services, the value displayed in the IP addresses or the ClientIP property in audit logs might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. See this article for more details about the Client IP property in audit logs. For example, in my case where the IP address is reflecting of Microsoft Cloud, the User Agent is shown as "MSWAC", which means the Office Online service:
You can also have a look at the User Agent property for more details about this activity. But as mentioned earlier, it's usually a normal behavior so no need to worry about it.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.