How to Detect Logons Outside of Trusted Locations in Microsoft Entra ID

{{ firstError }}
We care about security of your data. Privacy Policy
Native Solution Netwrix Auditor for Microsoft Entra ID
Native Solution
Netwrix Auditor for Microsoft Entra ID
Steps
  1. Open portal.azure.com -> Click “Azure Active Directory”.
  2. In the Monitoring section, click “Sign-ins”.
  3. Click Download -> CSV.
  4. Import the resulting file into Microsoft Excel:
    • In Excel, click File -> Open –> Choose the file you just downloaded.
    • In the Text Import Wizard, choose Data Type = “Delimited” and tick the “My data has headers” box -> Click Next.
    • In the Delimiters section, tick “Comma” -> Click Next.
    • Scroll through the fields preview and choose “Do not import column (skip)”, leaving only following columns: Date (UTC), User, Username, IP address, Location, Status. (For more logon details, you can also leave the “Application”, “Resource”, “Authentication requirement”, “Browser”, “Operating System” fields checked.) -> Click “Finish”.
  5. Filter by trusted locations (or IP addresses) using the “Location” (or “IP address”) column.
  6. Review the results:
How to Detect Sign-ins from Outside Trusted Locations in Azure AD - Native Auditing

 

1. Run Netwrix Auditor → Navigate to "Search" → Specify the following criteria:

  • Filter – "Data source"
    Operator – "Equals"
    Value – "Azure AD"
  • Filter – "Object type"
    Operator – "Equals"
    Value – "Logon"
  • Filter – "Workstation"
    Operator – "Does not contain"
    Value – An IP address or location to be excluded

You can exclude several IP addresses or locations by adding additional “Workstation” filters.

2. Click “Search”:

How to Detect Sign-ins from Outside Trusted Locations in Azure AD - Netwrix Auditor

To save this report for future use, click “Tools” -> Click “Save as report” -> Specify a name for your report ‑> Click “Save”.

 

Find suspicious sign-ins to your Microsoft Entra ID more easily

Many organizations have been operating with an expanded remote workforce for several months now. While most of the challenges related to getting remote workers up and running have been addressed, there are still serious security challenges. In particular, we can no longer rely on traditional firewall rules to control access, especially as threats become more sophisticated. 

Microsoft Entra ID conditional access policies enable you to control user access to resources and even implement MFA based on sign-in location. Nevertheless, with so many remote workers and cloud applications, your attack surface is significantly larger, and therefore it’s critical to keep track of Azure sign-in events.

The Microsoft Entra ID audit logs record all logon events, but you cannot effectively filter the entries to exclude known (safe) locations, leaving you with an impossible volume of information to process manually. 

Netwrix Auditor for Microsoft Entra ID facilitates access control for security and compliance by providing security reports on both successful and failed attempts to access your Microsoft Entra ID and cloud applications. The convenient search function enables you to filter out unnecessary records and quickly find the information you are looking for. You can even save your search as a custom report that you can subscribe stakeholders to, and set up an alert to ensure you’re immediately on top of any suspicious sign-in attempt.

Related How-tos