Forum Discussion

sumo83's avatar
sumo83
Iron Contributor
Jan 31, 2024

Locked account due to many attempts from malicious IP

Hello experts,   today, a user contacted me that she cannot access M365 and asked to unlock her account. 1st thing I've checked were her log-ins in MS Entra and there I've found many and many attem...
Azure Active Directory (AAD)
Conditional Access
identity protection
MFA
PeterJoInobits's avatar
PeterJoInobits
Brass Contributor
Feb 02, 2024
Have you taken a look at this?

https://blog.admindroid.com/configure-smart-lockout-in-microsoft-entra/
sumo83's avatar
sumo83
Iron Contributor
Feb 07, 2024

ok.. So I've done some more reading on this.... and looks like SmartLockout is enabled by default? .. and to modify it, I can do it as described in the blog.... So I am not sure if that will help to modify the default settings...

I am a bit surprised that I do not see anything under "Protection > Identity Protection > Risky users , ..or Risky Sign-in"... Cant understand why - as the user's account was blocked due to lots of attempts from malicious IP. I would expect that user would be visible under Risky Users?

 

From sign-in logs, I could see that those attempts were blocked.... during the password spray attack that was going on that account for 2 days... so smart lockout was doing the job I guess.... as it was blocking it without affecting the real user.... However, due to lots of attempts from attacker, the user account got blocked anyway eventually....

 

How to protect against this?

Resources