Forum Discussion
Failed log on (Failure message: Account is locked because user tried to sign in too many times with
Are you looking at the MCAS logs? Those arrive with some delay, best check directly against the Azure AD sign-in logs. The settings you've configured should be enough to prevent this type of attack, which is usually brute-forcing credentials via POP/IMAP.
VasilMichevThank you for the follow up. Yes I am seeing the logs in MCAS, unfortunately we do not have a premium Azure AD subscription so I can't see the logs in there.
From my reading I thought is was through POP and IMAP as well but I've disabled that in the exchange mail boxes. Is there somewhere that needs to be set?
Even without AAD Premium, you can see it on the corresponding user object's details page.
Disabling POP/IMAP will not affect these entries, blocking legacy auth should however, so check whether you missed something on that front.
VasilMichev Thank you for your continued help, I checked the Azure Ad logs (thank you for the tip) and saw that it was IMAP and SMTP, mostly SMTP.
These alerts were on 7-1 and 7-2
I ran this powershell script on all my users on 6-28
$Mailboxes = Get-Mailbox -ResultSize Unlimited
ForEach ($Mailbox in $Mailboxes) {$Mailbox | Set-CASMailbox -PopEnabled $False -ImapEnabled $False }
I checked the account in exchange and it seems like it is disabled, see below, although I don't see a way to disabled SMTP
