At first I was nervous but then I realized it was me triggering “Someone has logged on to your server from an unusual location” message against my Azure SQL database. The process of investigating the “rouge” login didn’t help with what Microsoft offered , I mean it seems hit and miss whether I get routed to the correct audit information via the investigation steps.
Look at the email generated.
You may or may not know the login involved (when you get an email), I think I did but I wanted to investigate further as mentioned by the investigation steps – ‘view suspicious activity to validate whether it is legitimate’, so I clicked it.
Well that was useful right? Anyways, I get the email more or less real time so I connected to the database and issued a common query to find any logins starting with sql.
SELECT login_time,login_name,program_name,host_name,database_id,status FROM sys.dm_exec_sessions WHERE login_name LIKE 'sql%'
It was absolutely me.