A risky sign-in is a login activity performed using a user account by someone who is not the owner of that account. More often than not, it is a tell-tale indication of a compromised user account, and could pose a serious threat to the security and confidentiality of your Office 365 tenant. If the user accounts from which risky sign-ins occur are not monitored, your organization could end up losing business critical data to intruders. An important information that can help establish the legitimacy of login is location from which it occurred.

Azure Active Directory displays details about risky sign-ins to your Office 365 tenant under the Security section, Risky Sign-ins tab. 

How to do it with O365 Manager Plus?

O365 Manager Plus goes one step further in monitoring risky sign-ins by offering  geolocation and Client IP filtering option for audit reports and alert triggers. For actions such as login, password change and more, this option allows you to find the country from which the operation was performed, based on the IP address of the device. By combining these with the Business Hours settings, you can scrutinize the logon activity further, by checking if the sign-in happened during the designated time or not.

To create a new alert profile (to monitor logins made from outside the organization's default location or country as configured), follow the steps given below:

1. Go to the Alerts tab.

2. Click on the New Alert Profile option on the bottom left corner.

3. Select the Add Profile option.

4. In the Alert Profile Configuration window that appears, enter a suitable Profile Name and Description.

5. Select the Office 365 Service as Azure Active Directory, Category as Azure AD User and Actions required.

6. You may change the level of severity and Alert Message as you prefer.

7. Under Advanced Configuration, go to Filter Settings, select Filter By Column and configure the countries for which you would like to trigger an alert.

8. Click on Add.

You can also use the Client IP filter to generate alerts as you desire. By filtering Client IPs, you can find out the activities done outside the organization network or your trusted IP ranges. You may choose to block or trust IPs based on the data you get.

To get a custom view of country-wise traffic, you can use the Create New View option available on the top right corner of the audit reports. Enter a suitable name for the custom report and in Summary Based On section, select Country option.