Forum Discussion

Dan Moran's avatar
Dan Moran
Copper Contributor
Nov 18, 2022

Blocking International Countries

We have a conditional access policy that logs off accounts after 5 failed attempts.

We also have an international policy blocking all international countries and IPs.

unfortunately, these attempts on our accounts happen before our international blocks.

I have spent way too much time with Msoft support to get nowhere.

 

Does anyone know how to just block even the attempt of logging on from international countries?

7 Replies

  • Thiago-Beier's avatar
    Thiago-Beier
    MCT
    Dec 20, 2022
    hi again Dan Moran, I did remember leveraging MCAS (CASB) to block from "blocked countries" all access to https://portal.office.com , once and the client liked because that reduced the accounts lockouts , I'll check if I still have it documented to share.
    • Dan Moran's avatar
      Dan Moran
      Copper Contributor
      Dec 20, 2022

      Thiago-Beier 

      any help would be greatly appreciated.  I will try to find the setting on my side as well.

      • Thiago-Beier's avatar
        Thiago-Beier
        MCT
        Dec 21, 2022

        Hi again , my access was revoked I got a screenshot here
        I need to revisit this topic but this helped us to get accounts blocked before MFA

        I'll see if I can get this going on my DEMO tenant to post it 

        Dan Moran 

  • Thiago-Beier's avatar
    Thiago-Beier
    MCT
    Dec 20, 2022
    I follow what you're saying and this article https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location , states that "Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access."
    I also wonder what people are doing around this, what would be a great recommendation here and what's on MSFT roadmap for this specific scenario.

    Cheers,
    Thiago Beier
  • KernelCaleb's avatar
    KernelCaleb
    Copper Contributor
    Nov 19, 2022

    Dan MoranHi Dan. Conditional Access policies apply after first factor authentication, so the actor would need to have provided correct credentials before your Conditional Access policies will apply to the sign-in attempt.

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy

    • Dan Moran's avatar
      Dan Moran
      Copper Contributor
      Nov 19, 2022

      KernelCaleb 

      thank you very much for the response.

      So how does anyone block outsiders from locking down accounts with any type of conditional access policy?  This is what we are dealing with.  Accounts get attacked and thus the get locked down.  The policy is doing what we ask it to thankfully.  

      But how do you protect accounts from just being locked down almost like a DDos attack?

      That is the discussion in another group I am with.  

      It just seems there should be some sort of rule that can apply if after x-amount of attempts, block the IP or country or something like that.

       

      Dan

Resources