Threat Hunting - Geolocation and permitted countries

Question

Threat Hunting - Geolocation and permitted countries

Adam in Education 25

Hello,

I am trying to actively look into unauthorized authentications and activity in our tenant. We are located in the United States, and 99% of our users also live there. As I work through the Threat Hunting queries and pull reports, I'm seeing authentication and file access outside the United States, when the user has never traveled to that location. The IP addresses associated often says "Cloud provider" and states it as a Microsoft IP address within the M365 space. Is it safe to assume these authentications are not my users if they are physically sitting in the U.S.? On top of that, we actively block VPN use inside our network and this is a policy, so users know this, and I'm fine breaking their VPN if that is what I'm noticing on our logs. I'm essentially just trying to understand if these IP addresses are really Microsoft and how I can narrow down our foot print proactively (and potentially break any current access that should not be allowed in countries that Microsoft does not have "cloud provider" servers.)

Thank you-

1 answer

Your answer

Answer 1

Sakshi Devkante 1,640 Microsoft External Staff

Hello @Adam in Education

Thank you for posting your query on Microsoft Q&A.

A Microsoft IP address or "Cloud provider" could very well be authentic traffic coming from Microsoft's global infrastructure. Verifying if these IP addresses are actually a part of Microsoft's owned blocks is crucial, though. Because of Microsoft's global cloud infrastructure, authentication may go through a Microsoft data center in another nation even if the user is in the United States.

Use resources such as Microsoft's official IP address ranges https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-ip-web-service?view=o365-worldwide to cross-check if the IP addresses are from a recognized Microsoft range in order to verify if it is indeed Microsoft.

For Example: you can use an IP lookup tool or services like WHOIS to verify whether the IP is owned by Microsoft or another provider. https://whatismyipaddress.com/ip-lookup

You may improve your access controls if you observe a pattern of behavior (for example, attempts at foreign authentication). You can reduce the chances of unwanted access by enforcing MFA for unknown locations and blocking non-US countries.

https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-by-location

Also, wanted to check if you have leveraged risk policies as an option.

Refer to this link for more detailed information - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies

Enable sign-in risk policy for MFA - https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa#:~:text=Enable%20sign%2Din%20risk%20policy%20for%20MFA

Even if users don't usually travel overseas, Microsoft's infrastructure can sometimes give a feeling that authentications are coming from overseas. For example, a valid authentication might originate in a different country simply because the authentication request is handled by a Microsoft server in a different region.

You can download the public IP range mapped to the geographical location, not limited to Azure, from the following. https://www.microsoft.com/en-us/download/details.aspx?id=53601

And the public IP range used by each Azure service can be downloaded from the following. https://www.microsoft.com/en-us/download/details.aspx?id=56519

I hope this clarifies things. Please contact us if you have any additional questions.

If this answers your query, do click Accept Answer and Yes for "Was this answer helpful". And, if you have any further query do let us know.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,

Sakshi Devkante

Sakshi Devkante 1,640 Reputation points Microsoft External Staff

2025-02-04T16:06:58.7566667+00:00

Hello @Adam in Education

I am following up to see if the suggestion provided above was helpful to you. If you have any further questions or need additional assistance, please don’t hesitate to reach out.

If this answers your query, do click Accept Answer and Yes for "Was this answer helpful". And, if you have any further query do let us know.

Best regards,
Sakshi Devkante
Adam in Education 25 Reputation points

2025-02-05T14:57:08.48+00:00

@Sakshi Devkante Thank you for the lengthy response. I need to read through this carefully and digest all the information before I mark this answer. I do have question, I'm not sure if it's answered in all of this documentation, but if I create a Conditional Access policy to block a specific country, does that also block the Microsoft Infrastructure within that country? And therefore I should not see any authentications within that country?
Sakshi Devkante 1,640 Reputation points Microsoft External Staff

2025-02-06T15:40:18.8333333+00:00

Hello @Adam in Education

When you create a Conditional Access policy to block access from a specific country, it will block all sign-ins that are coming from IP addresses associated with that country, regardless of whether the sign-in is coming from a user or Microsoft's infrastructure (like data centers, load balancers, or services).

However, Microsoft's global infrastructure could still affect how authentications are routed. If you configure a block by location policy, it will block sign-ins from any IP address located in the blocked country, including both user sign-ins and sign-ins routed through Microsoft's data centers.

This does not prevent Microsoft infrastructure in that country from being involved in routing or handling traffic. For example, if you block a country and an authentication request is routed through a Microsoft server in that country, it may still result in a block even if the user isn't actually located there.

Ref: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-assignment-network

https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies

Best regards,
Sakshi Devkante
Sakshi Devkante 1,640 Reputation points Microsoft External Staff

2025-02-07T16:52:59.09+00:00

Hello @Adam in Education

I am following up to see if the suggestion provided above was helpful to you. If you have any further questions or need additional assistance, please don’t hesitate to reach out.

Best regards,

Sakshi Devkante
Sakshi Devkante 1,640 Reputation points Microsoft External Staff

2025-02-10T08:49:55.27+00:00

Hello @Adam in Education

I am following up to see if the suggestion provided above was helpful to you. If you have any further questions or need additional assistance, please don’t hesitate to reach out.

Best regards,

Sakshi Devkante
Adam in Education 25 Reputation points

2025-02-10T18:55:21.97+00:00

@Sakshi Devkante Thank you for replying about the Conditional Access. I think something else is going on with my issues, just today, in my own Microsoft Authenticator prompt, my geo-location was not in my region in the U.S. My IP was showing as hosted somewhere else in the U.S. Something appears to be going on with the Microsoft geolocation records or where they get their data from. It's clearly a conflict in databases, because when I use ipchicken.com the geolocation is in my region, however other websites like this show the other geolocation that Microsoft is showing. If this data is inconsistent, it throws an error log for Microsoft Azure/Entra logins. And as I suspected, my account is now flagged as a risky user because of this geolocation issue. If this is beyond topic for this thread, I can intiate another question, but I appreciate all your responses as this problem is much more difficult to solve than I originally anticipated.
Sakshi Devkante 1,640 Reputation points Microsoft External Staff

2025-02-17T16:25:38.59+00:00

Hello Adam,

There could be a few reasons why the location for a user's Azure sign-in may be different from their physical location. If a user connects to Azure using a virtual private network (VPN) If you're using a VPN or proxy service (even unintentionally), it might route your traffic through a different location, skewing the geolocation that Microsoft sees. If this is the case, it could result in mismatches in your location. or content delivery network (CDN) it may result in their location appearing as that of the VPN, proxy server or CDN rather than their physical location. Also, some internet service providers (ISPs) may route traffic through different locations or data centers, which can also cause discrepancies in location information for Azure sign-ins.

Various providers may contribute their IP geolocation data to different services, and these databases can contain inaccurate or out-of-date information. Another possible explanation for the discrepancy between ipchicken.com and other websites is that Microsoft may be using a geolocation supplier whose data is incorrect.

If you notice discrepancies in the location information for Azure sign-ins, it is important to a thorough investigation to determine the cause. You may need to work with your network team or ISP to identify any issues with routing or location information, or you may need to adjust your Azure policies to account for these discrepancies.
Sakshi Devkante 1,640 Reputation points Microsoft External Staff

2025-02-18T16:25:47.5933333+00:00

Hello Adam,

I am following up to see if the suggestion provided above was helpful to you. If you have any further questions or need additional assistance, please don’t hesitate to reach out.
Sakshi Devkante 1,640 Reputation points Microsoft External Staff

2025-02-19T17:42:57.3433333+00:00

Hello Adam,

I am following up to see if the suggestion provided above was helpful to you. If you have any further questions or need additional assistance, please don’t hesitate to reach out.

Share via

Threat Hunting - Geolocation and permitted countries

1 answer

Your answer