There is now a new health report in Office 365 to monitor sign-ins from IPs that are classed as “risky”.
You can use this new feature if you utilise Active Directory Federation Services (ADFS) to sign into Office 365 and other cloud and on-premises apps which are secured by Azure AD.
When a sign-in is processed using your ADFS servers, then it will audit every single sign in that takes place. The Azure AD Connect Health Service will monitor all of these sign-ins and will analyse it to ensure that it doesn’t present any threats. As seen below, this new feature (which is in preview) will now show any sign-ins that appear from a risky IP:
Clicking this tile and going through into the report shows a list of the IP addresses which Azure notes as risky and the amount of times that a bad password has been recorded. It also shows the number of lock outs and the number of unique users that have attempted to log in from each IP.
You can then take the steps to block these IPs from accessing your ADFS servers to prevent any future attacks!