Surface sign-ins from countries each identity hasn't used before.
Anomalous Access shows sign-ins and actions from countries outside each identity's established baseline. The backend pre-filters to just the access that falls outside a user's historical country usage, so every row is a potential anomaly. When there's nothing outside baseline, the page shows an all-clear state.
Open Settings → Security → Anomalous Access.
Optionally filter by identity email and date range.
Review the highlighted rows — each shows the identity, country, IP, and action.
If the page shows the all-clear state, every sign-in in the window came from a country that identity has used before.
Page through results to review all flagged access.
Jump straight to the feature, or browse the rest of the guides.