User sign-ins (non-interactive) Sign-in IP shows mine but the service account is being used from another IP.

Killian Moore 21 Reputation points
2022-06-28T17:40:23.117+00:00

Hi there,

I'm trying to discover the reason why the IP address of non-interactive sign-ins lists as my current office IP and not the IP of the web app or service that is using the delegated/service account.
I know I need to provision the service account and use the adminConsent url to authorise it to make requests but I'm not sure why these api calls are listed from my office IP?
The service account is being run in a data centre server in a different country.

Could anyone offer an explanation on this.
Image is the non-interactive sign-ins.
I've read the docs provided on sign-ins etc here https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins, but I'm still confused as to why the IPs are mine and not where the Oauth account is being used.

Thanks in advanced and if you need any more information let me know.

215790-screenshot-2022-06-28-at-183000.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,106 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee
    2022-07-02T14:25:36.907+00:00

    @Killian Moore ,

    As far as I understand your query , you would like to understand that why do you see your IP address in the report for non-interactive sign-in in the reports rather than the IP of web service which is using the service account to call the API in the background.

    This is because the sign-in logs have evolved to provide this information about the originator. Generally a service account is something which will process requests from all the users . Hence in case of any security audit requirement, it is difficult to find which user actually is making a request and the IP, the request originated. Hence in case of non-interactive logons, the information of the user(request originator) , the user's IP , the application initiating the request and the cloud side resources the app is trying to access. That is why you see the user's IP on behalf of which the request was initiated rather than the backend service principal IP . The idea is to provide details about the user on behalf of whom the non-interactive request was initiated as explained in the non-interactive signin section of the linked article you provided.

    216958-image.png

    Hope the information helps. In case you feel that i have misunderstood your query or you have further questions , please feel free to continue the conversation in comments further and we will continue to help you on the same. If the information is helpful , please do accept the post as answer so that it improves the relevancy of the post and helps other members of the community searching for similar queries.

    Thank you .

    ----------------------------------------------------------------------------------------------------------------------------------------------------------

    • Please don't forget to click on 130616-image.png whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
    2 people found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful