How to Validate Microsoft “Unusual Sign‑In Activity” Emails

Steps

How to Identify if Emails from @accountprotection.microsoft.com are Legitimate

Microsoft explicitly states that emails sent from the domain @accountprotection.microsoft.com are legitimate Microsoft account security notifications.
These messages are used for:

• Security verification codes
• Unusual sign‑in alerts
• Password or security‑info change notifications

Microsoft confirms that messages originating from
account-security-noreply@accountprotection.microsoft.com are valid and associated with Microsoft account protection workflows.

Although the source email appears to be legitimate, it’s important to note that email spoofing is still possible.

Even if your Information Security team has already validated the sender address and confirmed there is no security threat, Microsoft recommends verifying more than just the visible “From” field.

Recommended validation steps include:

a. Verify the actual sender domain:
Microsoft Support suggests confirming that the message originates from the official domain @accountprotection.microsoft.com.
 

b. Review the full message headers:
Even though the admin has already reviewed the headers, Microsoft still recommends validating them to ensure the message was genuinely sent from Microsoft infrastructure.
 

When reviewing the headers, please look for:

• Successful SPF, DKIM, and DMARC authentication results
• Microsoft sender domains such as *.outbound.protection.outlook.com

Why on‑premises domain (AD) accounts receive these emails:
Even when a user primarily authenticates using an on‑premises Active Directory (AD) account, Microsoft may still send security‑related notifications from @accountprotection.microsoft.com for the following reasons:

Reason 1:

The email indicating “unusual sign‑in activity” was generated because the user’s email address is associated with Microsoft’s cloud‑based identity and security systems through a hybrid or synchronized identity configuration. In environments where on‑premises Active Directory accounts are synchronized with Microsoft Entra ID (Azure AD)—using Password Hash Synchronization, Pass‑Through Authentication, or federated identity—Microsoft Entra ID actively monitors sign‑in behavior and generates security alerts.

Additionally, the same email address may also be linked to a Microsoft personal account (MSA) or configured as a security or recovery contact for another Microsoft account, intentionally or unintentionally. In such cases, Microsoft’s account protection services will continue sending sign‑in alerts and verification notifications to that email address, even if the recipient did not initiate the sign‑in attempt.

As a result, receiving these notifications is expected behavior in hybrid or federated environments and does not necessarily indicate unauthorized access. However, Microsoft recommends that users review their account security activity whenever they receive such alerts to ensure there has been no misuse and that account protection settings remain accurate and up to date.

This situation can occur in the following scenarios:

•            A user mistakenly entered your email address as their recovery contact

•            Someone intentionally or unintentionally used a corporate email address as a backup or security email

•            A recycled or reused email address remains associated with an older Microsoft personal account

Reason 2:

The AD user signs-in to cloud services using a Microsoft personal account (MSA) with the same email address.

If the on‑premises AD user’s email address is also used for a Microsoft personal account (MSA), Microsoft may send security notifications to that address regardless of its on‑premises origin.

Examples include usage of the same email for:

• Xbox account
• Personal OneDrive accounts
• Skype, Hotmail, or Outlook.com–linked accounts

Because these services rely on a Microsoft personal identity, security alerts will continue to be delivered to the associated email address.

Verify account activity directly — never through email links:
Microsoft and security best practices strongly recommend verifying account activity by signing in directly to your Microsoft account or Microsoft Entra–associated account using a trusted browser session.
To review recent sign‑ins or security events, navigate manually to the official Microsoft account or security portal rather than clicking links embedded in email messages.

This approach helps ensure you are reviewing legitimate activity and avoids potential phishing or redirection risks.

Do not rely solely on the email “From” address:
Security experts caution against trusting an email based only on the visible “From” address. Even messages that appear to originate from legitimate Microsoft domains can be spoofed.
For this reason, email legitimacy should always be validated using additional indicators such as:

• Full message header analysis
• Sender authentication (SPF, DKIM, DMARC)
• Confirmation through official Microsoft portals rather than email content

Relying solely on appearance can increase the risk of falling victim to spoofed or phishing messages.