Forum Discussion
Failed log on (Failure message: Account is locked because user tried to sign in too many times with
LilleLars As @Vasil Michev said the CA policies are only being applied AFTER succesful authentication through basich auth protocols (POP3, IMAP, SMTP, etc.). That's why you're seeing this behaviour.
To eliminate these spray attacks you need to disable basic auth in Exchange Online. Please have a look at the following article on how to do that: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online
Thank you Pavel, im testing now and this tenant did not have any "authentication policies" already.
Ive done this:
New-AuthenticationPolicy -Name "Block Basic Auth"
Set-OrganizationConfig -DefaultAuthenticationPolicy "Block Basic Auth"
gives me below result which looks good.
Iยดve waited 10 hours and stille I see IMAP error 50053 "account is blocked" in the Sign-ins log
Hope I did it correct?
AllowBasicAuthActiveSync : False
AllowBasicAuthAutodiscover : False
AllowBasicAuthImap : False
AllowBasicAuthMapi : False
AllowBasicAuthOfflineAddressBook : False
AllowBasicAuthOutlookService : False
AllowBasicAuthPop : False
AllowBasicAuthReportingWebServices : False
AllowBasicAuthRest : False
AllowBasicAuthRpc : False
AllowBasicAuthSmtp : False
AllowBasicAuthWebServices : False
AllowBasicAuthPowershell : False
LilleLars The steps you've done are correct and should be enough. If you're seeing this for a specific user account you can check he has the policy applied and run "Get-User -Filter "AuthenticationPolicy -eq..." (more info in the article) to make sure. But other than that I think you've done all that was needed and the basic auth should be blocked ๐ You might wait a bit longer and see if it works eventually. Maybe someone else has an idea.
Hi Pavel, thank you !
Get-User -Identity user@domain.com | fl auth returns:
Authenticationpolicy :
Blank or null ?
it might be because its the default auth policy ? as I see in this uservoice:
https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/38070442-get-user-does-not-show-default-authentication-poli
- It's normal you don't see it that way as you have added it as a default policy.
I have experienced the same and contact Microsoft for that.
They informed me that Authentication Policies are unreliable and CA should be used.
I don't like that response, but it's the one I got ๐
I recommend adding the authentication policy and setting up CA to block the signins that aren't stopped by auth policies.
