EID-EXP-013: Impossible Travel Detection vs VPN Behavior — Deep Dive for Security Engineers

Introduction

Impossible travel detection is a widely used identity protection signal in modern cloud environments. (Lefferts & Weinert, 2023) 

However, in real-world deployments, especially with hybrid work models, VPN usage often generates false positives and reduces its effectiveness. (Zohaib et al., 2024)

In this lab (EID-EXP-013), we simulate user behavior across different geographies and VPN endpoints to analyze several core aspects of impossible travel detection:

• How impossible travel detection actually works
• Why VPNs break their assumptions
• How attackers abuse this gap
• How to tune detection without losing the security signal

To understand the challenges, let's first define what we mean by 'impossible travel detection'.

Impossible travel is a risk-based detection mechanism that flags logins when:

A user signs in from two geographically distant locations within a time window that would be physically impossible to travel. (What are risk detections? - Microsoft Entra ID Protection, 2026)

Core Detection Logic

• IP-to-location mapping (GeoIP)
• Time delta between sign-ins
• Calculated travel speed threshold
• Historical user behavior baseline

Example Scenario

Lab Setup (EID-EXP-013)

We built a controlled test environment using:

• Azure AD / Entra ID tenant
• Test user accounts
• Multiple VPN exit nodes (US, Europe, Asia)
• Real device sign-ins (browser + desktop apps)

Test Scenarios

1. Normal login without VPN
2. Rapid location switch via VPN
3. Split-tunnel VPN vs full-tunnel
4. VPN + attacker simulation (credential compromise)

Key Findings from the Lab

1. VPNs Frequently Trigger False Positives

When users connect to a VPN:

• Their public IP changes to the VPN exit node
• Their geo-location changes significantly
• As a result, normal user activity may appear suspicious. (Evading Residential Proxy Networks: Protecting Your Devices from Becoming a Tool for Criminals, 2026)

Observation:

For example, a user in India connecting to a US VPN node triggered high-risk impossible travel alerts within minutes. (Yatziv, 2022)

2. Detection Suppression Occurs More Than Expected

Microsoft Entra ID applies intelligent suppression when:

• Previous sign-ins are trusted.
• The device is marked compliant.
• Risk signals are inconsistent.

Impact observed:

• Some impossible travel events were not flagged at all.
• This was especially common when the same VPN endpoint was reused. (Yatziv, 2022)

3. Split-Tunnel VPN Creates Inconsistent Signals

With split tunneling:

• Authentication traffic may go directly (local IP)
• Other sessions route through VPN.

Result:

• Multiple IPs in parallel sessions
• The detection engine becomes less reliable in these scenarios. (Yatziv, 2022)

4. Attackers Can Abuse VPN Familiarity

If an attacker:

• Uses the same VPN region as the user
• Or compromises credentials while VPN is active

Then:

• Impossible travel detection may not trigger at all.
• Risk score remains low.

This represents a critical security gap. (Yatziv, 2022)

Why Impossible Travel is Not Enough

Limitations

• Relies heavily on IP geolocation (not always accurate)
• Assumes physical travel (does not account for VPNs/proxies)

• Cannot distinguish:

  • Legitimate VPN usage
  • Malicious proxy usage (Impossible Travel Detection With IP Data, 2023)

Advanced Detection Strategy (Recommended)

1. Combine with Sign-in Risk + User Risk

Do not rely on impossible travel alone.

Use:

• Sign-in risk policies
• User risk policies
• Identity Protection signals

2. Use Conditional Access with Context

Instead of blocking access based only on location:

Apply conditions like:

• Device compliance
• Hybrid Azure AD joined status.
• MFA requirement for risky sessions

3. Monitor VPN IP Ranges Explicitly

Maintain awareness of:

• Corporate VPN IP ranges
• Known third-party VPN providers

Then:

• Carefully exclude trusted ranges.
• Flag unknown VPN providers proactively

4. Enable Continuous Access Evaluation (CAE)

Enabling this provides:

• Real-time session enforcement
• Faster response to risk changes (Weinert, 2024)

5. Correlate with Additional Signals

Impossible travel becomes powerful when combined with:

• Device fingerprinting
• Token anomalies
• Session behavior
• App usage patterns

Detection Engineering Perspective

What Engineers Should Look For

Instead of raw alerts, analyze:

• Sequence of sign-ins
• IP reputation
• Device ID consistency
• Authentication method changes

Example Threat Pattern

1. User logs in via corporate VPN
2. Attacker logs in from the same region (different device)
3. No impossible travel triggered.
4. Token theft or persistence follows.

Key Takeaways from EID-EXP-013

• Impossible travel is a signal, not a control.
• VPN usage significantly reduces detection accuracy
• False positives and false negatives both exist.
• Context-aware Conditional Access is critical.
• Detection must be multi-signal, not location-based (Assor, 2025)

Final Thoughts

Impossible travel detection works well in theory, but modern enterprise environments—with VPNs, roaming users, and cloud-first access—require more sophisticated identity protection strategies.

In real-world security engineering:

The goal is not to eliminate false positives—but to ensure attackers cannot blend in with normal behavior.

References

Lefferts, R. & Weinert, A. (May 30, 2023). Microsoft identity threat detection and response combines IAM and XDR. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2023/05/31/xdr-meets-iam-comprehensive-identity-threat-detection-and-response-with-microsoft/

Zohaib, S. M., Sajjad, S. M., Iqbal, Z., Yousaf, M., Haseeb, M. & Muhammad, Z. (2024). Zero Trust VPN (ZT-VPN): A Systematic Literature Review and Cybersecurity Framework for Hybrid and Remote Work. Information 15(11). https://doi.org/10.3390/info15110734

(2026). What are risk detections? - Microsoft Entra ID Protection. Microsoft Learn. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks

(March 19, 2026). Evading Residential Proxy Networks: Protecting Your Devices from Becoming a Tool for Criminals. FBI. https://www.fbi.gov/investigate/cyber/alerts/2026/evading-residential-proxy-networks-protecting-your-devices-from-becoming-a-tool-for-criminals

Yatziv, A. (May 11, 2022). Detecting and Remediating Impossible Travel. Microsoft Community Hub. https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/detecting-and-remediating-impossible-travel/3366017

Yatziv, A. (May 11, 2022). Detecting and Remediating Impossible Travel. Microsoft Community Hub. https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/detecting-and-remediating-impossible-travel/3366017

Yatziv, A. (2022). Detecting and Remediating Impossible Travel. Microsoft Community Hub. https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/detecting-and-remediating-impossible-travel/3366017

Yatziv, A. (2022). Detecting and Remediating Impossible Travel. Microsoft Community Hub. https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/detecting-and-remediating-impossible-travel/3366017

(2023). Impossible Travel Detection With IP Data. IPinfo.io. https://ipinfo.io/blog/impossible-travel-detection-ip-data-accuracy

Weinert, A. (May 8, 2024). New developments in Microsoft Entra ID Protection. Microsoft Community Hub. https://techcommunity.microsoft.com/blog/identity/new-developments-in-microsoft-entra-id-protection/4062701

Assor, Y. (2025). Demystifying Impossible Traveler Detection. Palo Alto Networks Blog. https://www.paloaltonetworks.com/blog/security-operations/demystifying-impossible-traveler-detection/