We combine the IP address and the user agent to determine if a user is "known" to the system. A user-agent is the means the users connected to Microsoft 365, it may be through a device (phone or computer), or through a new combination of web browser and IP.


Remediation


While people move, causing IP to change, and sometimes they change their device and software, causing the user-agent to change; both happening at the same time is not as common and should be investigated as a potential breach.


Example: A user logs into Microsoft 365 from a public computer while traveling. Office Protect will detect this previously unseen device and raise a User Accessed with Previously Uknown Device and IP and a Sign-In from Unauthorized Country.


We recommend investigating the Audit Logs for the user in question, and if needed, the user should be Disabled.