Nylas uses the Microsoft OAuth refresh tokens to connect to Office365 mailboxes and synchronize the items inside. We get these tokens from Microsoft after the user successfully signs in through the Microsoft Modern authentication flow.
It is normal to see many log entries in the Azure Sign-In (Non-interactive) logs under the same IP of the user that authenticated the Nylas account instead of the Nylas IPs. These entries represent connection attempts to the email server by Nylas and our services will do this repeatedly throughout the day.
The user's IP is logged even though the traffic is coming from the Nylas IPs because Microsoft designed these logs to allow email administrators to easily trace back to the IP that completed the authentication and consented to the authentication tokens. This is done to make security audits easier. You can see the actual IPs from the originating traffic by looking over the connection logs of the services that Nylas uses (EWS, ActiveSync, Graph)