Microsoft Azure IP ranges & what they mean for fraud
Microsoft Azure publishes the most granular range set of any cloud — tens of thousands of per-service prefixes.
How Sentinel uses these ranges
Sentinel tags traffic from these ranges with the dch (datacenter/hosting) signal in real time. The numbers above come from Microsoft Azure's own published range feed — the same feed Sentinel's verdict pipeline refreshes continuously, so a new range is scored within hours of publication, not whenever a static database ships.
Range data adds a signal; it never overrides deeper network detection. VPN exits live in datacenters, so a range hit doesn't short-circuit tunnel analysis — an IP in Microsoft Azure's ranges that is also a VPN exit gets both signals, and your policy sees the full picture in the reasons array.
Should you block Microsoft Azure traffic?
Azure VMs and Functions appear in bot traffic for the same reason AWS does: minute-billed compute with a clean corporate ASN. Legitimate enterprise integrations also live here in volume.
The honest answer is: it depends on the surface. A datacenter IP on a signup, login, or checkout is a strong review signal — humans overwhelmingly arrive from residential and mobile networks. The same IP calling your API is often just a legitimate backend. Sentinel returns the raw signal so you can apply exactly that asymmetric policy instead of a blanket block.
curl -X POST https://sntlhq.com/v1/evaluate \ -H "Authorization: Bearer sk_test_sandbox" \ -H "Content-Type: application/json" \ -d '{"token":"test_datacenter"}'
The sandbox key returns the documented datacenter-verdict shape (decision, risk_score, network.datacenter) — no signup required. Details in the API docs.
Free tier: 1,000 requests/hour. No card, no expiry.