networking – Windows authentication off trusted network

Our Azure network only allows logins through our vpn with a trusted network ip address. All vpn traffic is routed through these addresses.
These rules are configured and only allow approved intune mobile devices to be not within this trusted address range.
Recently we have discovered in our logs a small, but widespread number of Windows authentication events that are outside the trusted IPs (usually show as someone’s home IP address). We are trying to figure out how this could occur and the best method of troubleshooting the issue.
Any thoughts would be greatly appreciated.