Microsoft Sentinel/Defender Alerts on Apple iOS Connection to Exchange Online
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 78%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
brichardi
361
Reputation points
Many alerts from Microsoft Sentinel/Defender indicate that users are being flagged as compromised. Further investigation reveals that users were accessing Exchange Online from Apple iPhone/macOS devices. The alerts show connections originating from a foreign country, while it is confirmed that the users are currently in the US.What could explain this issue?
Thanks for your help.
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud Apps
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 28.000000000000004%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
Catherine Kyalo 2,195 Reputation points Microsoft Employee2025-06-03T08:56:04.64+00:00 - Apple iCloud Private Relay or VPN-like Services
Many Apple devices (especially on iOS 15+ and macOS Monterey+) use iCloud Private Relay, which routes traffic through Apple-managed proxy servers. This can cause:
IP geolocation mismatches, where the IP address appears to originate from a different country.
- False positives in Microsoft Defender for Cloud Apps or Sentinel, which rely on IP-based heuristics to detect anomalous sign-ins .
- Third-Party VPNs or Carrier NAT
Some mobile carriers or VPN apps also route traffic through international exit nodes, especially when using:
Global roaming
Carrier-grade NAT (Network Address Translation)
VPNs that default to non-U.S. endpoints
These can trigger alerts for impossible travel, atypical travel, or sign-in from unfamiliar location.
Use Conditional Access with Sign-In Risk
- Configure Conditional Access policies that evaluate sign-in risk rather than just IP location.
- Use Microsoft Entra Identity Protection to assess user and sign-in risk based on behavioral patterns, not just geography
Sign in to comment
Sign in to answer