Overview
The “Microsoft 365: Authentication Outside of U.S.” detection rule specifically looks for any Azure AD user account that successfully completes a UserLoggedIn
action from an IP address located outside of the United States. However, it will not trigger on ServicePrincipal account actions often taken through connected app services across different geographical locations.
We use a GeoIP service to compile a database of known IPs and what countries they are registered in. The country name displayed in the finding is based on what the GeoIP service provided as that IP’s location in the last database update. Locations for IP addresses can change, although it is rare.
Events that can trigger “Authentication Outside of U.S.” findings
There are several scenarios that can match the detection logic for authentications outside of the U.S. Below are some common cases and tips for investigating.
Scenario | Considerations |
VPN use | Users may be using a VPN on their device which may return a non-US IP address for the login triggering this detection. Review any VPN tools in use on the host device. |
User traveling | The user may be traveling abroad and logging into their account from a new location. Confirm with the user if they are traveling and if they are actively logging in. |
New device login | The account holder may be using a new device to log into their account that they have not used before. This device may be located in a new geographical location while they are traveling or it was newly purchased. |
User account compromise | The account has been compromised and is attempting to log in from various unknown geographical IP locations leading to a new finding being generated. |
False positives | False positive findings occur if the geolocation of the device was inaccurately determined by the GeoIP service provider. We recommend reviewing the location of the device and the user’s known working location early to ensure the finding is not due to inaccurate geolocation data. |
Using Report Builder to review sign-in activity
We recommend reviewing every UserLoggedIn
action that has been completed by the user in the finding over the past 24 hours. We provide a pre-built global report that sets up most of the report for you, and you can filter the logs down with the user’s name.
To review the sign-in events around the finding activity, do the following:
- Navigate to Reporting > Report Builder.
- Click View All Saved Reports.
- Search and click any compliance report titled “Logins from Outside the US (O365).”
- Click Edit Report.
- Click Add Filter, then add a filter to the existing report filters to narrow the activity down to the user or mailbox you need to review.
Example:user
–Equal
–username
- Click Submit
Additional report filtering
If you want to update the report to show all of the events where a user had a login failure as well as successful logins, you can adjust the filters as follows:
client_ip_geoipcountryname
- Is not in
- United States
ANDoperation
– Contains
– UserLog
ANDuser
– Equal
– username
ANDaccount_type
– Equal
– Regular
Another option to expand the dataset to see everything, including US logins, is to remove the client_ip_geoipcountryname Is not in United States
filter. Reviewing all of the events can help determine if there are additional malicious actions at play or if it is standard user behavior.
Restricting user access
Within Office 365 Azure AD, you can create Conditional Access policies that restrict your users from accessing their accounts while in countries that are not approved. This is a good security control to have in place on any M365 tenant to stop malicious actors from accessing compromised accounts from unapproved locations.
Our “Microsoft 365: Login Blocked due to Conditional Access Policy” detection rule is a good rule to enable in Blumira because it will trigger when an M365 account attempts to bypass a Conditional Access policy that you have in place.
Reference: Learn more in How to set Conditional Access Policies.