Forum Discussion
Solved
Thousands of login attempts from external IPs
Hi all, I'm the Global admin of an education tenant in the largest school district in my country, I administer over 90k Microsoft 365 accounts for students and educators. Recently, Azure AD logs st...
- Not really, after all M365 is a public cloud service and the login page is available from anywhere. UPNs themselves can be tried at random (you will not see any attempt for non-existent UPN in the logs), or guesstimated from the email address, etc.
As for blocking them, CA is an easy way, unfortunately it only triggers only after the credentials have been validated. Only Exchange Online allows you to block login attempt on the pre-auth layer, via the so-called Authentication policies: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#authentication-policy-procedures-in-exchange-online
That said, most such attempts to leverage the Exchange protocols, so this approach might help in your case. If you need to exert further control, you only option would be to redirect the login process to an external system (on-premises AD FS farm or federation provider), where you can apply restrictions as needed.
Not really, after all M365 is a public cloud service and the login page is available from anywhere. UPNs themselves can be tried at random (you will not see any attempt for non-existent UPN in the logs), or guesstimated from the email address, etc.
As for blocking them, CA is an easy way, unfortunately it only triggers only after the credentials have been validated. Only Exchange Online allows you to block login attempt on the pre-auth layer, via the so-called Authentication policies: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#authentication-policy-procedures-in-exchange-online
That said, most such attempts to leverage the Exchange protocols, so this approach might help in your case. If you need to exert further control, you only option would be to redirect the login process to an external system (on-premises AD FS farm or federation provider), where you can apply restrictions as needed.
As for blocking them, CA is an easy way, unfortunately it only triggers only after the credentials have been validated. Only Exchange Online allows you to block login attempt on the pre-auth layer, via the so-called Authentication policies: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#authentication-policy-procedures-in-exchange-online
That said, most such attempts to leverage the Exchange protocols, so this approach might help in your case. If you need to exert further control, you only option would be to redirect the login process to an external system (on-premises AD FS farm or federation provider), where you can apply restrictions as needed.
Thanks VasilMichev
Our users are in a fully cloud-based enviroment. I went through the docs in the link you attached and managed to turn off basic authentication for a test account, which i assume should block login attempts on the pre-auth layer, however i still see an option to enter password when i try to login using this account! Am i doing somthing wrong or did i miss something in your reply?
- That's the expected behavior, currently there is no way to disable password login altogether. But assuming the attacker tries to login via any of the methods you blocked via auth policy, they will always see a generic 401 error and have no way of confirming whether a given password is valid or not.