Alert on Login From Non Native Country Crate
What does the Alert on Login From Non Native Country Crate do?
This Crate enhances security by detecting logins from countries that do not match a user's configured location. It helps administrators quickly identify potential unauthorized access and take necessary action.
This Crate detects and reports logins from non-native countries, but does not take action to block them. It does not change any user configurations within M365., and can't determine if logins from different countries are legitimate due to VPN use.
How the Crate works
Retrieves each user's configured country from Microsoft Graph for comparison.
Retrieves recent login events from Microsoft Graph.
Flags logins originating from a country different from the user's configured location.
Logs a ticket to notify administrators of potential unauthorized access.
You have the option to configure the audit window via a trigger variable named audit_days
. This defines how many past days of login activity to include in the report. For example, if the cron job runs daily, setting this to 1
ensures only new logins are reported, preventing duplicate alerts.
Crate prerequisites
The Microsoft Cloud Integration Bundle must first be installed before unpacking this Crate.
Entra ID Premium P1 or P2 license is required to use this Crate.
Unpack the Alert on Login From Non Native Country Crate
Navigate to Crates > Crate Marketplace in the left side menu Rewst platform.
Search for
Alert on Login From Non Native Country
.Click on the Crate tile to begin unpacking.
Click Unpack Crate.
Click Continue.
Note that you have the option under the Cron Job accordion menu to activate the Crate for all future organizations in addition to the current one. You may also set activation to certain tags, trigger criteria, or for integration overrides.
Click Unpack.
Use the Crate
To test this Crate, you'll need to adjust the cron trigger's schedule to a few minutes in the future, then adjust it back to your regular schedule after the test. Alternatively, you could wait until the regularly scheduled run occurs and check your result, which would not require you to update the cron trigger schedule. To edit a cron trigger in the workflow to either test it once or change the timing it will routinely run:
Navigate to Automations > Workflows.
Search for
[REWST - CRATE] M365: Alert on Login from Non-Native Country
.Click on the workflow to open it in the workflow builder.
Click
to open the edit trigger menu.
Update the timing of the cron trigger as desired in the fields under Trigger Parameters. Note that when entering the time into the Cron Schedule field, the correct format is minutes followed by hour. For example, 18 3, not 3 18.
Click Submit.
If adjusting to immediately test, remember to adjust the trigger back to its normal timing after testing.
Last updated
Was this helpful?