AD FS - Banned IP question

%3CLINGO-SUB%20id%3D%22lingo-sub-2438504%22%20slang%3D%22en-US%22%3EAD%20FS%20-%20Banned%20IP%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2438504%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Active%20Directory%20Connect%20Health%20%7C%20AD%20FS%20services%20question%20here.%20I've%20added%20some%20malicious%20IPs%20to%20AD%20FS%20Banned%20IP%20list%2C%20but%20still%20my%20Azure%20AD%20Sign%20in's%20log%20registers%20connection%20attempts%20from%20these%20IPs%20with%20error%20code%26nbsp%3B50126%20(%3CSPAN%3EThe%20user%20was%20not%20able%20to%20sign%20in%20because%20the%20user%20did%20not%20enter%20the%20right%20credentials%3C%2FSPAN%3E).%20That%20is%20the%20same%20error%20code%20as%20before%20adding%20the%20IP%20to%20Banned%20IP%20list.%20Is%20this%20normal%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20use%20AD%20FS%20for%20authenticating%20to%20O365%2FAzureAD.%20Also%20use%20AD%20FS%20health%20for%20monitoring%20and%20securing%20purposes.%20I%20would%20like%20to%20block%20malicious%20IPs%20from%20accessing%20ADFS%20and%20even%20attempting%20to%20authenticate.%20I%20thought%20I%20could%20use%26nbsp%3BAD%20FS%20-%20Banned%20IP%2C%20but%20maybe%20that%20is%20not%20the%20case%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20strange%20detail%20about%20this%20is%20that%20the%20login%20attempts%20from%20malicious%20IPs%20seen%20in%20Azure%20AD%20is%20not%20registered%20in%20ADFS%2FSecurity%20logs%20in%20event%20viewer%20on%20ADFS%20server.%20Appreciate%20any%20feedback..%20BR-Ruslan%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22RNalivaika_0-1623406168962.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F288043i9F0DBDF392F3BEE0%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RNalivaika_0-1623406168962.png%22%20alt%3D%22RNalivaika_0-1623406168962.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2438504%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAD%20Connect%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ead%20fs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAD%20FS%20Banned%20IP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzureAD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Azure Active Directory Connect Health | AD FS services question here. I've added some malicious IPs to AD FS Banned IP list, but still my Azure AD Sign in's log registers connection attempts from these IPs with error code 50126 (The user was not able to sign in because the user did not enter the right credentials). That is the same error code as before adding the IP to Banned IP list. Is this normal ?

 

We use AD FS for authenticating to O365/AzureAD. Also use AD FS health for monitoring and securing purposes. I would like to block malicious IPs from accessing ADFS and even attempting to authenticate. I thought I could use AD FS - Banned IP, but maybe that is not the case?

 

Another strange detail about this is that the login attempts from malicious IPs seen in Azure AD is not registered in ADFS/Security logs in event viewer on ADFS server. Appreciate any feedback.. BR-Ruslan

RNalivaika_0-1623406168962.png

 

 

0 Replies