New Country for Tenant
Detects users successfully logging in, starting sessions, or authenticating from new locations with no operation, which may indicate an account takeover attempt.
A user will fail this check if they have any anomalous activities in the past 24 hours.
A new country is defined as one that has not been associated with a login in more than 90 days.
To reduce false positive alerts, accounts that were created less than 3 days prior to the check run are excluded. Access from a managed device will be excluded for customers with Azure AD with InTune.
Recommended Actions
We recommend contacting the end user to verify the origin of the actions.
Default Check Settings:
Anomalous activities period (hours): 24
Compatibility
Last updated