How to Track Logons Outside of Trusted Locations in Azure AD

Monitor Azure Logon Activities with Lepide Auditor
3 min read | Updated On - March 08, 2024
In This Article

As an IT administrator, it’s important to know the location that users are logging in from. When users are logging on to Azure Active Directory (Azure AD) outside of trusted locations, it needs to be monitored as it could be indicative of an attack.

Azure AD Conditional Access policies enable you to control user access to resources to help keep your organization secure. However, these days, with so many more remote workers and cloud applications, your attack surface is significantly larger, and so it is crucial to keep track of Azure AD sign-in events.

The Azure (AD) audit logs record all logon events, but you cannot easily filter the entries to exclude trusted locations, leaving you with a large volume of information to process manually.

A more straightforward solution to this is to use the Lepide Azure AD Auditor. This enables you to generate reports on both successful and failed attempts to logon to Azure AD. Trusted locations can be filtered out to display only the information you are looking for providing an efficient way to monitor Azure AD logons.

Here are two ways to detect logons outside of trusted locations in Azure AD and they are described below.

  1. Audit Logons Outside of Trusted Locations Using Native Auditing
  2. Audit Logons Outside of Trusted Locations Using Lepide

Audit Logons Outside of Trusted Locations Using Native Auditing

Please follow the below steps to audit outside logons:

  • Open portal.azure.com
  • Click Azure Active Directory
  • Click Sign-in logs from the Monitoring section
  • Click Download, CSV
  • Import the resulting file into Microsoft Excel

From Excel:

  • Click File, Open and select the file you previously downloaded

From the Text Import Wizard:

  • Choose Data Type = Delimited
  • Check the My data has headers box
  • Click Next

From the Delimiters section:

  • Check Comma
  • Click Next
  • Scroll through the fields preview and choose Do not import column (skip), leaving only the following columns: Date (UTC), User, Username, IP address, Location, Status.
  • Note: For more logon details, you can also leave the Application, Resource, Authentication requirement, and Browser, Operating System fields checked

  • Click Finish
  • Apply an Excel filter to filter by trusted locations or IP addresses using the Location or IP address column.
Logons Outside the Trusted Locations
Figure: Azure AD Logons Outside of Trusted Locations

Audit Azure AD Logons Outside of Trusted Locations Using Lepide

This native way to track Logons outside of Trusted Locations in Azure AD is both time-consuming and complex and requires using both Azure AD and Excel to generate a report. A more straightforward solution to this is to use the Lepide Azure AD Auditor.

Lepide Azure AD Auditor overcomes the complexity of the native method by providing a straightforward way to list all logons outside of trusted locations in Azure AD using the All Modifications in Azure AD Report:

Logons Outside of Trusted Locations in Lepide Azure AD Auditor

Figure: Logons Outside of Trusted Locations in Lepide Azure AD Auditor
  • To see all users who have tried to log in:

    Filter by Operation and select User Logged in and User Login Failed

  • To exclude all trusted locations and show only logins outside of trusted locations:

    Filter by Where, change the filter criteria to Not Equal to and add all trusted locations

  • Click Generate Report

    The report will list all logins, whether successful or failed, from outside of trusted locations for the time period specified.

Conclusion

In conclusion, you can see that Lepide Azure AD Auditor provides a straightforward way to report on Azure AD login activity resulting in a comprehensive yet clear to understand report.

Monitor Azure Logon Activities with Lepide Auditor