Home

Has anyone setup a "geofence" to filter/alert when authenticating from "outside the fence"?

%3CLINGO-SUB%20id%3D%22lingo-sub-67643%22%20slang%3D%22en-US%22%3EHas%20anyone%20setup%20a%20%22geofence%22%20to%20filter%2Falert%20when%20authenticating%20from%20%22outside%20the%20fence%22%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-67643%22%20slang%3D%22en-US%22%3EI%20ask%20this%20knowing%20the%20availability%20of%20the%20Conditional%20Access%20(that%20only%20works%20for%20MFA%20accounts)%20feature.%20Our%20organization%20has%20compelling%20issues%20with%20training%20availability%2C%20hence%20taking%20far%20longer%20to%20bring%20non-IT%20folk%20into%20the%20MFA%20field.%20In%20the%20interim%20lack%20of%20that%20awesome%20security%20feature%20being%20turned%20on%20for%20the%20bulk%20of%20our%2070k%20users%2C%20it%20would%20be%20nice%20to%20filter%2Falert%2Fdisable%20any%20accounts%20that%20login%20from%20say%2C%20Russia%20or%20(IP%20ranges%20with%20pungent%20hacking%20activity).%20That%20would%20at%20least%20add%20another%20layer%20of%20difficulty%20in%20using%20stolen%20credentials%20from%20far%20away%20on%20accounts%20that%20don't%20have%20MFA%20enabled.%20I'm%20thinking%20for%20all%20the%20%24%24%20AD%20Premium%20costs%2C%20that%20it%20should%20be%20an%20included%20feature.%20So%20OOB%20stuff%20aside%2C%20has%20anyone%20used%20the%20REST%20API%20to%20pull%20%22Sign%20ins%20from%20IP%20addresses%20with%20suspicious%20activity%22%20reports%20and%20then%20email%20alerts%20to%20IT%20security%20and%20auto-reset%20the%20user%20password%3F%20I%20know%20this%20is%20a%20shot%20in%20the%20dark%20but%20that%20would%20be%20some%20nice%20code%20to%20share.%20Thanks%20in%20advance!%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-67643%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-73863%22%20slang%3D%22en-US%22%3ERe%3A%20Has%20anyone%20setup%20a%20%22geofence%22%20to%20filter%2Falert%20when%20authenticating%20from%20%22outside%20t%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-73863%22%20slang%3D%22en-US%22%3Eas%20others%20have%20stated%2C%20I%20believe%20what%20you're%20asking%20is%20offered%20by%20Azure%20Identity%20Protection%20-%20which%20is%20an%20Azure%20AD%20Premium%20P2%20feature.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-identityprotection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-identityprotection%3C%2FA%3E%20It%20doesn't%20allow%20you%20to%20exclude%20the%20IPs%20of%20Russia%20or%20North%20Korea%20specifically%2C%20but%20it%20allows%20Microsoft%20to%20watch%20your%20accounts%20for%20abnormal%20behavior.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-73542%22%20slang%3D%22en-US%22%3ERe%3A%20Has%20anyone%20setup%20a%20%22geofence%22%20to%20filter%2Falert%20when%20authenticating%20from%20%22outside%20t%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-73542%22%20slang%3D%22en-US%22%3E%3CP%3ESuspicious%20IPs%20are%20already%20included%2C%20as%20you%20can%20read%20here%3A%20%22The%20Microsoft%20Intelligent%20Security%20Graph%20maintains%20a%20list%20of%20IP%20addresses%20known%20to%20have%20been%20in%20contact%20with%20a%20bot%20server.%20Devices%20that%20attempt%20to%20contact%20resources%20from%20these%20IP%20addresses%20are%20possibly%20infected%20with%20malware%20and%20are%20therefore%20flagged.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20read%20more%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2017%2F05%2F26%2Fbreaking-down-ems-conditional-access-part-3%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2017%2F05%2F26%2Fbreaking-down-ems-conditional-access-part-3%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-73442%22%20slang%3D%22en-US%22%3ERe%3A%20Has%20anyone%20setup%20a%20%22geofence%22%20to%20filter%2Falert%20when%20authenticating%20from%20%22outside%20t%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-73442%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20reply%20Vasil!%20Turns%20out%20when%20you%20get%20down%20to%20the%20%22Conditions%5CLocations%22%20setting%2C%20the%20Exclude%20option%20essentially%20blocks%20everything%20except%20the%20%22Trusted%20Locations%22%2C%20which%20in%20our%20case%20is%20our%20local%20networks%2Fpub%20IP%20ranges.%20There%20is%20no%20option%20there%20to%20%22blacklist%22%20particular%20IP%20ranges%2C%20just%20exclude%20everything%20that%20isn't%20a%20whitelisted%20%22Trusted%20Location%22.%20Thanks%20again%20for%20taking%20the%20time%20to%20reply...I%20appreciate%20it%20even%20though%20there%20isn't%20a%20solution%20built%20into%20AAD%20yet%20it%20seems%20to%20blacklist%20unwanted%20CIDR%20blocks.%20Will%20keep%20looking%20myself%20and%20if%20I%20find%20some%20option%20that%20works%3B%20will%20post%20back%20here.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-67718%22%20slang%3D%22en-US%22%3ERe%3A%20Has%20anyone%20setup%20a%20%22geofence%22%20to%20filter%2Falert%20when%20authenticating%20from%20%22outside%20t%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-67718%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F14219i45DBF87DBCA5C32A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22conditionalaccessblock.png%22%20title%3D%22conditionalaccessblock.png%22%20%2F%3E%3C%2FSPAN%3ENot%20sure%20what%20happened%20to%20the%20photo...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-67716%22%20slang%3D%22en-US%22%3ERe%3A%20Has%20anyone%20setup%20a%20%22geofence%22%20to%20filter%2Falert%20when%20authenticating%20from%20%22outside%20t%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-67716%22%20slang%3D%22en-US%22%3E%3CP%3EConditional%20access%20does%20not%20only%20work%20for%20MFA%2C%20you%20can%20use%20it%20in%20other%20scenarios%20such%20as%20%22block%20login%20for%20requests%20coming%20from%20IP%20range%22.%20Go%20to%20the%20AAD%20blade%2C%20Conditional%20Access%2C%20New%20Policy.%20Select%20the%20Users%2FGroups%20to%20apply%20the%20policy%20agianst%2C%20select%20the%20apps%20to%20apply%20the%20rule%20to%20(probably%20All)%2C%20and%20select%20the%20Location%20based%20condition.%20In%20the%20Access%20control%20section%2C%20select%20Block.%20Make%20sure%20to%20Enable%20the%20policy%20before%20saving.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%3E%3CIMG%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlternatively%2C%20AD%20FS%20can%20be%20used%20to%20block%20extenral%20access%2Fallow%20only%20specific%20IPs.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Dennis Rylski
Occasional Contributor
I ask this knowing the availability of the Conditional Access (that only works for MFA accounts) feature. Our organization has compelling issues with training availability, hence taking far longer to bring non-IT folk into the MFA field. In the interim lack of that awesome security feature being turned on for the bulk of our 70k users, it would be nice to filter/alert/disable any accounts that login from say, Russia or (IP ranges with pungent hacking activity). That would at least add another layer of difficulty in using stolen credentials from far away on accounts that don't have MFA enabled. I'm thinking for all the $$ AD Premium costs, that it should be an included feature. So OOB stuff aside, has anyone used the REST API to pull "Sign ins from IP addresses with suspicious activity" reports and then email alerts to IT security and auto-reset the user password? I know this is a shot in the dark but that would be some nice code to share. Thanks in advance!
5 Replies

Conditional access does not only work for MFA, you can use it in other scenarios such as "block login for requests coming from IP range". Go to the AAD blade, Conditional Access, New Policy. Select the Users/Groups to apply the policy agianst, select the apps to apply the rule to (probably All), and select the Location based condition. In the Access control section, select Block. Make sure to Enable the policy before saving.

 

 

Alternatively, AD FS can be used to block extenral access/allow only specific IPs.

conditionalaccessblock.pngNot sure what happened to the photo...

Thanks for the reply Vasil! Turns out when you get down to the "Conditions\Locations" setting, the Exclude option essentially blocks everything except the "Trusted Locations", which in our case is our local networks/pub IP ranges. There is no option there to "blacklist" particular IP ranges, just exclude everything that isn't a whitelisted "Trusted Location". Thanks again for taking the time to reply...I appreciate it even though there isn't a solution built into AAD yet it seems to blacklist unwanted CIDR blocks. Will keep looking myself and if I find some option that works; will post back here.

Suspicious IPs are already included, as you can read here: "The Microsoft Intelligent Security Graph maintains a list of IP addresses known to have been in contact with a bot server. Devices that attempt to contact resources from these IP addresses are possibly infected with malware and are therefore flagged."

 

Please read more here: https://blogs.technet.microsoft.com/enterprisemobility/2017/05/26/breaking-down-ems-conditional-acce...

as others have stated, I believe what you're asking is offered by Azure Identity Protection - which is an Azure AD Premium P2 feature. https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection It doesn't allow you to exclude the IPs of Russia or North Korea specifically, but it allows Microsoft to watch your accounts for abnormal behavior.
Related Conversations
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
9 Replies