none
Impossible travel activity alert - false positives RRS feed

  • Question

  • Hello folks,

    We are getting Impossible travel activity alerts for Exchange Online email access from users that are checking from cell phones ActiveSync.  When users are over seas for legitimate travel, seems like we see logins from their overseas location, but seems like their email check triggers activity in the US as well, therefore generating an alert in Cloudwatch, falsely.

    Anyone hear of this?  Does Active Sync trigger US activity every time even of overseas?

    Is there something that can be done about this?


    • Edited by romatlo32 Thursday, September 12, 2019 7:56 PM
    Thursday, September 12, 2019 7:54 PM

All replies

  • Have you disabled Basic Authentication in Exchange Online? Using MFA as well?
    Thursday, September 12, 2019 8:24 PM
    Moderator
  • Hi,

     

    Impossible travel uses a machine learning algorithm that ignores obvious "false positives" contributing to the impossible travel condition., the detection logic includes different levels of suppression to address scenarios that can trigger false positive. For more info. Please see the article:

     

    Get instantaneous behavioral analytics and anomaly detection

     

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com


    Friday, September 13, 2019 6:40 AM
  • Thank you.

    No MFA.  You think disabling Basic Authentication makes a difference here?

    I think the problem is that T-Mobile routes traffic to the US even when logging on over seas and triggers this alert.  Any thoughts about that?

    Friday, September 13, 2019 12:50 PM
  • Thank you.

    No MFA.  You think disabling Basic Authentication makes a difference here?

    I think the problem is that T-Mobile routes traffic to the US even when logging on over seas and triggers this alert.  Any thoughts about that?

    Disable Basic Auth in Exchange Online 

    https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online

    and enable MFA ASAP. Seriously. 

    Then after that, see how it looks. 

    Friday, September 13, 2019 1:44 PM
    Moderator
  • Hi,

     

    I am writing here to confirm with you how the thing going now?

     

    If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.

     

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com


    Wednesday, September 18, 2019 1:23 AM