KB #1006: ACB 365 cause multiple warnings about impossible travel activity

Challenge

The activity log within Microsoft Cloud Security Center shows warnings about impossible travel activity on users included in the ACB 365 backup;

Description
The user XX performed an impossible travel activity.
The user was active from IP x.x.x.x in COUNTRY and IP x.x.x.x in COUNTRY within X minutes.

Solution

Add the following ACB 365 Proxy IP adresses to the IP address range page within Microsoft Cloud Security Center:

• 158.176.16.51

• 158.176.16.50

• 158.176.16.52

• 158.176.16.53

• 185.170.29.113

• 185.170.28.248

• 185.170.28.249

• 185.170.28.54

• 185.170.28.235

• 185.170.28.189

• 185.170.28.212

• 149.81.191.225

• 169.59.54.34

Cause

This is due to ACB 365 connecting to Microsoft 365 as an application impersonating the specific user that is being processed during a backup. This is normal behavior and will only occur when a user is not located in the same region as a ACB proxy, e.g. when a user is traveling and has a connection Microsoft 365.

This can be ignored or the above solution can be implemented to improve the accuracy of the alerts within Microsoft Cloud Security Center.