This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 95%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZR%3C/text%3E%3C/svg%3E)
I have noticed suspicious sign in from a user account. The user is in California but the sign in appears from New Jersey from a Micorosft Graph app that is running on the user laptop. Please note the laptop is joined with AD. Does anyone know if this is expected or is it indeed a security risk. More information is below. Thanks
Location
Mount Laurel, New Jersey, US
IP address
2603:3024:107f:a100:ec4a:12d7:df8c:4ab0
Autonomous system number
7922
**
Device ID**
dd6b2a01-9c07-4068-8bff-77e327acf27e
Browser
Edge 114.0.1823
Operating System
Windows 10
Compliant
No
Managed
No
Join Type
Azure AD joined
Request ID XXXXX Correlation ID XXX
Authentication requirement Multifactor authentication Status Success Continuous access evaluation No Additional Details MFA requirement satisfied by claim in the token Troubleshoot Event Follow these steps:
- Launch the Sign-in Diagnostic.
- Review the diagnosis and act on suggested fixes. User XXXXX Username XXXXX User ID XXXXX Sign-in identifier User type Member Cross tenant access type None
Application My Signins Application ID XXXXXXX Resource Microsoft Graph Resource ID XXXXX Resource tenant ID XXXXX Home tenant ID XXXXX Home tenant name Client app Browser Client credential type None Service principal ID Service principal name Resource service principal ID XXXXX Unique token identifier XXXXX Token issuer type Azure AD Token issuer name Incoming token type Primary refresh token Authentication Protocol None Latency 108ms Flagged for review No User agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.43
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 45%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I would treat it as a compromise unless you know for sure that it's originating from activity on the user's laptop and that activity is expected. We had a similar issue recently where the logs showed an MS Graph login from out of country from one of our users. After having the user reset his password we saw another attempted malicious login from the same foreign IP trying to access the user's https://mysignins.microsoft.com/ information.
Unless you know for sure that it's originating from the user's laptop and is expected activity, I would treat it as malicious and have the user reset their password.