Dealing with high number of failed log on attempts from foreign countries utilizing Exchange Online

Not sure if any one has seen this. There is a new tool for your basket. This has helped us greatly.

A couple of months ago Microsoft released to preview and then has pushed forward 'Authentication Policies'.

These authentication policies are processed prior to being passed to AAD or ADFS saving the failed login against the account

And yes this can be applied to individual or small groups to test first (just remember to wait to assure the policy is applied to the user in question before calling it good or not)

See "https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online"

Basic outline

Assure you have modern authentication enabled for your organization

Create an authentication policy blocking basic auth for pop, imap and such (The biggest one we were seeing was imap)

If you have any user or service accounts that requires basic auth for any of the protocols you are disabling in the previous policy, create a second policy allowing the protocols

If you have any users that utilizing pop, imap or any other method you determine don't need basic authentication, get them migrated to some other form of client app or access

If there are any accounts that absolutely require basic auth (ie we have a ticketing system that utilizes imap with basic auth to connect to a specific mailbox), make note of them to exclude in your query for users to apply your restricted policy to

Query for and apply unrestricted policy to service account or user that requires the basic auth for the protocols disabled by the restricted policy

Query for and apply restricted policy to the majority of your users

Apply restricted policy as global default (for new users)

Either wait 24 hours for it to be applied or touch a user property on the user and wait approximately 30 minutes.

Note, the below worked for me. Make sure you research and adjust for your own needs. I take no responsibility for what you do to your environment. These are only examples

Exchange Powershell commands used

connect-exopssession -UserPrincipalName {exchangeonline admin}

New-AuthenticationPolicy -Name "Block_Basic_Auth_Selective”

{Blocks basic auth for imap, pop, smtp but allows for things like activesync}
(Adjust according to your needs)
Set-AuthenticationPolicy -Identity “Block_Basic_Auth_Selective” -AllowBasicAuthActiveSync -AllowBasicAuthAutodiscover -AllowBasicAuthImap:$false -AllowBasicAuthMapi -AllowBasicAuthOfflineAddressBook -AllowBasicAuthOutlookService:$false -AllowBasicAuthPop:$false -AllowBasicAuthReportingWebServices -AllowBasicAuthRest -AllowBasicAuthRpc -AllowBasicAuthSmtp:$false -AllowBasicAuthWebServices -AllowBasicAuthPowerShell

New-AuthenticationPolicy "Allow_Basic_Auth"

(Adjust according to your needs)
Set-AuthenticationPolicy -Identity “Allow_Basic_Auth” -AllowBasicAuthActiveSync:$true -AllowBasicAuthAutodiscover:$true -AllowBasicAuthImap:$true -AllowBasicAuthMapi:$true -AllowBasicAuthOfflineAddressBook:true -AllowBasicAuthOutlookService:$true -AllowBasicAuthPop:$true -AllowBasicAuthReportingWebServices -AllowBasicAuthRest -AllowBasicAuthRpc -AllowBasicAuthSmtp:$true -AllowBasicAuthWebServices:true -AllowBasicAuthPowerShell

To simplifiy things for my environment I manually set the users that required basic auth (I only had two)

set-user -Identity "User One" -AuthenticationPolicy "Allow_Basic_Auth"

To touch the user to make the policy get applied quicker

set-user -Identity "User One" -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)

For the rest of my users

$Users = Get-User -ResultSize unlimited | Where {$_.RecipientType -eq "UserMailbox" -and $_.AuthenticationPolicy -eq $null}

$users =$users.WindowsEmailAddress

$users | %{Set-User -Identity $_ -AuthenticationPolicy “Block_Basic_Auth_Selective”}

If you want to touch the users to apply policy quicker, since the query is already in memory

$users | %{Set-User -Identity $_ -STSRefreshTokensValidFrom $([System.DateTime]::UtcNow)}

Now the following command will apply the restricted policy as the global default. (Note, when I first implemented this, the unrestricted users did not have a policy applied and as such I thought they would have no policy applied, but once the default policy was applied to the global config, it affected the unrestricted unconfigured users.)

Set-OrganizationConfig -DefaultAuthenticationPolicy “Block_Basic_Auth_Selective”

Remember, mileage will vary. Read everything you can find on Authentication Policy/ies

For us, for now, this has completely removed the issues we were having with illigitimate failed login attempts and account lockouts.
We ran into only the one issue mentioned above with the accounts that had no policy assigned and then the global policy being applied

Remember, it takes approximately 24 hours for the policy to be applied to a user unless one of the user's properties are modified

There is one thing I will mention, at this time, when this is applied, there is nothing logged for failed attempts that fall afoul of the blocked basic auth policy even in Azure Ad Sign-ins

-Gene