• Users accessing internet via Cloud SWG (formerly WSS) using WSS Agents.
• SAML Authentication is enabled for WSS Agent users, where SAML IDP server is Azure.
• Agents located in region close to a number of different data centers (Stockholm, Oslo) and sometimes can connect to multiple locations in space of hours.
• Azure administrator sees 'Impossible Travel' alert messages reported from what appears to be Cloud SWG egress IP addresses.
Microsoft Azure as SAML IDP
• WSS Agent can switch to other locations if the closest one is not reachable (due to site maintenance, or other connectivity issues). For example, it can be connected to Copenhagen (GDKCP) and then, switch to Oslo (GNOOS).
• Microsoft Azure detects the Oslo IP as 'Impossible Travel' - so the connections from two different countries with too short travel time (https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/detecting-and-remediating-impossible-travel/ba-p/3366017).
• In case of WSS Agent, it is still connecting to valid, Cloud SWG egress IP address so it is not compromised.
To resolve this type of issues it is best to use Dedicated IP feature in Cloud SWG. This will guarantee that only dedicated IP addresses to the specific Cloud SWG tenant will be used, even if WSS Agent is switching between data centers.
As a workaround, the IP ranges from other Cloud SWG data centers can be added to Azure whitelist (Cloud SWG (formerly known as WSS) Ingress and Egress IP addresses)