We use GSuite for our small business. One of our employees received a "Security alert for your linked Google Account" email at her personal email address. It claims that a her work account has signed into a new iOS device. Here's an anonymized screenshot of the email:
The employee performed no such login to any device. Our GSuite administrator inspected login history and there was no recent activity (success or failure attempts) on that account. We suspended the account until we can figure this mystery out.
I inspected the email HTML and the links take you to the Google website, not some third-party site. So we are left to conclude that the email is likely legitimate and truly from Google, but inaccurate.
If this email is legitimate, it is possible that someone "signed-in" to the Google Account without it recording in the Login Audit Logs?
Are there any other means of confirming the authenticity of this email in GSuite?
Best Answer
As it turns out, iOS devices do not record an audit entry into the admin logs as they use OAuth. I was able to determine what/where a user logged in by:
This confirmed that the login was indeed from our network, so we can be somewhat sure, this was not a security breach.
Only speculating here, buy this user has an iPad 2, which she users to connect. She was using it during this period, but claims she performed no log in, so it's conceivable the iPad did this without her knowledge (or she did it without her knowledge).