Forum Discussion

Dennis Rylski's avatar
Dennis Rylski
Copper Contributor
May 05, 2017

Has anyone setup a "geofence" to filter/alert when authenticating from "outside the fence"?

I ask this knowing the availability of the Conditional Access (that only works for MFA accounts) feature. Our organization has compelling issues with training availability, hence taking far longer to bring non-IT folk into the MFA field. In the interim lack of that awesome security feature being turned on for the bulk of our 70k users, it would be nice to filter/alert/disable any accounts that login from say, Russia or (IP ranges with pungent hacking activity). That would at least add another layer of difficulty in using stolen credentials from far away on accounts that don't have MFA enabled. I'm thinking for all the $$ AD Premium costs, that it should be an included feature. So OOB stuff aside, has anyone used the REST API to pull "Sign ins from IP addresses with suspicious activity" reports and then email alerts to IT security and auto-reset the user password? I know this is a shot in the dark but that would be some nice code to share. Thanks in advance!
Access Management
Azure Active Directory (AAD)
Identity Management
microsoft 365

5 Replies

  • Anonymous's avatar
    Anonymous
    May 30, 2017
    as others have stated, I believe what you're asking is offered by Azure Identity Protection - which is an Azure AD Premium P2 feature. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection It doesn't allow you to exclude the IPs of Russia or North Korea specifically, but it allows Microsoft to watch your accounts for abnormal behavior.
  • VasilMichev's avatar
    VasilMichev
    MVP
    May 06, 2017

    Conditional access does not only work for MFA, you can use it in other scenarios such as "block login for requests coming from IP range". Go to the AAD blade, Conditional Access, New Policy. Select the Users/Groups to apply the policy agianst, select the apps to apply the rule to (probably All), and select the Location based condition. In the Access control section, select Block. Make sure to Enable the policy before saving.

     

     

    Alternatively, AD FS can be used to block extenral access/allow only specific IPs.

    • Dennis Rylski's avatar
      Dennis Rylski
      Copper Contributor
      May 26, 2017
      Thanks for the reply Vasil! Turns out when you get down to the "Conditions\Locations" setting, the Exclude option essentially blocks everything except the "Trusted Locations", which in our case is our local networks/pub IP ranges. There is no option there to "blacklist" particular IP ranges, just exclude everything that isn't a whitelisted "Trusted Location". Thanks again for taking the time to reply...I appreciate it even though there isn't a solution built into AAD yet it seems to blacklist unwanted CIDR blocks. Will keep looking myself and if I find some option that works; will post back here.