How do I get alerted on suspicious sign-ins?
Instead of reading logs after the fact, you want a mail or Teams ping when something is off. For sign-in risk signals (impossible travel, infrequent country) this lives in Entra Identity Protection.
support/beveiliging/sign-in-alerts-instellensteps: 5
Try this first
- Entra admin center > Protection > Identity Protection > Sign-in risk policy. Turn it on and decide whether to enforce on medium or high risk (MFA or block).
- Check live status under 'Risky users' and 'Risky sign-ins'. You see impossible travel, anonymous IP, infrequent country and other signals there.
- Set notification recipients: you plus one backup. Not just one person, they go on vacation sometimes.
- Test by signing in via a VPN to another country. Does the sign-in show up in 'Risky sign-ins' within 30 minutes? Configuration works.
- Build a habit: check 'Risky users' at the start of every workday. 30 seconds of work.
When to bring us in
Identity Protection requires Entra ID P2. Without it you are stuck with weaker signals. Defender for Office covers a different set (mail-flow, phishing) and is a separate topic. We can advise whether the license is worth it for your situation, often not necessary.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.