New Country for Tenant

Detects users successfully logging in, starting sessions, or authenticating from new locations with no operation, which may indicate an account takeover attempt.

A user will fail this check if they have any anomalous activities in the past 24 hours.

A new country is defined as one that has not been associated with a login in more than 90 days.

To reduce false positive alerts, accounts that were created less than 3 days prior to the check run are excluded. Access from a managed device will be excluded for customers with Azure AD with InTune.

Recommended Actions

We recommend contacting the end user to verify the origin of the actions.

Default Check Settings:

Anomalous activities period (hours): 24

Compatibility

PreviousMicrosoft Entra ID Admin Activity Anomaly NextNew IDP Created

Last updated 7 months ago