Forum Discussion
Block access to 365 Login page from overseas
Greetings,
We are looking into options to prevent DOS attacks into our tenant. Is it possible to prevent a user from reaching the 365 login page from overseas? We currently have a CA enabled to prevent users from logging into 365 from overseas, however the CA only takes affect after implementing the first factor authentication. We would like to prevent the user from reaching the actual login page if their IP is coming from overseas, and not have them input their credentials.
2 Replies
Unfortunately, the only way to block authentication by IP is by using a federated identity provider. As you stated, Conditional Access is an authorization tool that is only able to block by location AFTER authentication has already occurred.
The only potential workaround is a bit of a hack - use custom branding to pull in your own CSS served from your own web server. In doing this, you can use rules on your web server to serve up different CSS based on request origin. This likely won't trip up automated tooling, but anyone (including your users or via AitM) trying to log in interactively would likely not figure it out ;)
Maybe you mean “Block access by location”?
You can read about it on this page https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-by-location
