Azure AD Identity Protection Has Incorrect Geo-IP Information

Jeff Hutto 26

We have some users who are being flagged as "high risk" because Microsoft Azure AD sees they are connecting from outside the US when they are actually in the US. We have a number of government contractors who will sometimes connect through the government-provided VPN, and their traffic will all come from a datacenter in the US. However, Microsoft shows that IP address as coming from Spain. I've checked several online WHOIS Geo-IP lookups, and these IPs are all listed as coming from the same place in the US. Only Microsoft seems to show them as coming from overseas. My problem is I have to open a ticket for these every time, and Microsoft might whitelist one or two IPs, but it's like playing a game of whackamole.

Are there any other avenues I can take?

Givary-MSFT 27,886 Reputation points Microsoft Employee

2022-05-30T07:15:38.47+00:00

@Jeff Hutto

Thank you for detailed description ( Azure AD Identity Protection has shows incorrect Geo-IP information when users signin) of the issue and approach to resolve as well.

Would request you to share the support id which you have worked on this issue, so that I can investigate further on this.

Also, wanted to check if you have leveraged risk policies as an option.

Refer to this link for more detailed information - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies

Enable sign-in risk policy for MFA - https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa#:~:text=Enable%20sign%2Din%20risk%20policy%20for%20MFA

Let me know if you have any further questions.
Lee Seeman 16 Reputation points

2023-04-04T15:21:12.3266667+00:00

We are seeing this as well in sign-in logs. For example Azure shows Shangai, but several whois IP reputation sites show T-mobile Kansas as geo.
Shannon H 45 Reputation points

2023-04-20T19:55:33.3066667+00:00

It almost seems like T-Mobile has some bad IP location data that has gotten out there or cached somewhere that keeps throwing Shanghai, CN location. (172.59.x.x range). It is a relatively recent development for our users. Seems prevalent to those physically located somewhere in the midwest US. Affecting any number of T-Mobile mobile serviced devices randomly (android or ios). Some IP's in that range will reflect other US based locations in our reporting (e.g. Philadelphia, Los Angeles, etc), but those are not as impactful when it comes to Azure conditional access policies that specifically deny foreign locations. Not sure where Microsoft Azure references to pull geolocation data. As noted in previous comment, many IP lookup and reputation sites state they are owned by T-Mobile in USA.
SWO-DOM 5 Reputation points

2023-04-26T16:50:55.5966667+00:00

Was this resolved? Having the same issue with mobile devices in the midwest showing up as attempting to login from Shanghai, China.
Shannon H 45 Reputation points

2023-05-01T21:21:37.5433333+00:00

It has not been resolved, and we are desperately trying to get hold of a Microsoft resource that can answer where they are getting the bad location data from and/or how to get Microsoft up to date with the current information. T-Mobile follows common current standard with geofeed published here - raw.githubusercontent.com/tmobile/tmus-geofeed/main/tmus-geo-ip.txt 172.59.72.x should show as US,US-MO,Kansas City.
Obviously Microsoft or whoever they point at as a reference is not up to day. ARIN is right and many other lookups sites are correct on location. Site ipstack.com is NOT right and showing the Shanghai, CN as location. I've sent ipstack.com a support inquire asking to get their stuff updated, but doubtful that will change whatever Microsoft has cached internally. It's been going on for weeks.
I sent T-Mobile an inquiry to their arintechcontact listed to see if there is anything they can do - no dice. I did also ask them when that IP range might have been added or changed in their geofeed list.
SWO-DOM 5 Reputation points

2023-05-03T21:33:48.0933333+00:00

Thank you for the update, Shannon
Eric 0 Reputation points

2023-05-04T17:04:55.0966667+00:00

Just experienced this exact issue with a user. Glad we aren't the only ones.
Ken 0 Reputation points

2023-08-01T22:05:32.99+00:00

I'm also show a false positive when I compare the geo-locations of some of the IP addresses shown in the Microsoft Sign-In logs and that of https://https://whatismyipaddress.com/ip-lookup . This is particularly true when coming from a mobile device where the IP starts with 2607. I have one user's device with IP: 2607:fb90:fd19:768f:ac39:c331:6805:6586 showing San Juan, Puerto Rico but when I look it up in whatismyipaddress, it's showing the greater Los Angeles area. And in all cases, the ISP is T-Mobile (which is our carrier).

My concern is that we've locked down usage based on all our users being in the United States using Conditional Access policies. If they happen to register as being outside of the U.S. (like Puerto Rico), I'm afraid they may be restricted from using 365 on their mobile device.

1 answer

Robert J. Waples 0 Reputation points

2023-08-03T14:41:38.9833333+00:00

Hello, I found this thread searching for similar issues I have been having with multiple customers over 4 months.

The users continue to experience login loop issues and during packet monitor review on Sonicwall NSA devices, I found my GEO block was detecting MS login servers in a variety of other countries. I then applied the Microsoft URL lists to my Sonicwall allow lists and still same issues. Today while still troubleshooting issues I continued to notice user logins showing different states vs countries.

I have disabled GEO filtering as of today on 2 clients Sonicwalls to see if any change with logins to (Edge, OneDrive, etc). Some customers are Azure AD Connect with SSO and some are just regular SVR2016 domains with MS365 services. I have recently upgraded all clients from O365 to M3365 plans and enabled security and compliance features. I could say this started after those steps and after enabling identity protection. All my customers do have Sonicwall firewalls but not convinced that is the issue and never was until MS login servers started going to other countries. Another common issue with my M365 clients is all tied with Ingram Micro Cloud Referral. I was planning to review ISP DNS servers and maybe change them all to Google DNS. Any comments or thoughts on this ongoing related issues appreciated.

Thanks, Rob
Please sign in to rate this answer.

0 comments No comments
Sign in to comment