How to check in Microsoft Entra ID if a user logged in using a VPN?

Erwin Corvera 25 Reputation points
2024-07-02T15:53:15.95+00:00

Good morning!

I really need help in reviewing the Sign-in Logs in Microsoft Entra ID. Lately, we've been receiving an increase of alerts about users who failed/succeeded to log in to our network. There have been several instances when I reached out to the users to validate the activities from the source location by which they would immediately confirm the source location as unauthorized BUT would validate the activities and even their chronological order as familiar and legitimate.

After further probing, the users would later confirm that they were using a VPN (example: OpenVPN). Unfortunately, I do not see any information, identifiers, indicators and/or filters in Microsoft Entra ID that could immediately help me confirm if the sign-ins were "cosmetic" or actually took place in a different location.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,350 questions
0 comments
Accepted answer
  1. James Hamil 22,976 Reputation points Microsoft Employee
    2024-07-02T16:24:54.0933333+00:00

    Hi @Erwin Corvera , there is no direct way to detect whether a user has logged in using a VPN unfortunately.

    You might be able to indirectly determine whether a user has logged in using a VPN by looking at the user's IP address. If the user is logging in from an IP address that is associated with a VPN service, then it is likely that the user is using a VPN to connect to your application or service.

    You can look at the ipaddr claim in the user's ID token or access token. The ipaddr claim contains the IP address of the client that requested the token.Keep in mind that the ipaddr claim is not always reliable and can be spoofed or manipulated by attackers.

    If you're concerned about security risks I would look into MFA for your users.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Broggy 5,701 Reputation points MVP
    2024-07-02T17:51:48.1+00:00

    Hi Erwin,

    You can get pretty close to your answer if you're able to log all sources to a SIEM, such as Sentinel.

    By querying all relevant log sources (VPN and Azure AD) by the time windows of interest, and using 'union' queries to present all relevant fields, you can list all user and IP related activities in the same output.

    0 comments