Sometimes, you may see activity from an odd location, which does not coincide with where your user is located. This does not necessarily mean that the account has been compromised from a remote location, this is often caused by the server-to-server call made within Office 365 for certain actions. For example, if a OneDrive item is attached to an email in the OWA application, or perhaps if a user is working on a document in Word Online, and then saves it to OneDrive, this can cause an event like these. Both of these activities involve interaction between the two services on behalf of the logged in user, and the location where the server-to-server call took place (a Microsoft data center) is logged, instead of where the user is located.
Here’s an example of what this type of event will look like:
One of Microsoft’s EU databases is in Dublin, Ireland.
As these events will feature multiple times in your timeline, you should see the same locations appear again and again, and you will be able to familiarise yourself with what is ‘normal’, and what could be considered suspicious or anomalous. It is also possible to apply filters to remove all events with this location (just exclude all events with these locations), so that you can see a clear timeline which does not include data centers.