We have noted a drastic increase in the number of failed log on attempts coming from countries outside the US within ADFS, obviously attempting to log in through Exchange Online.
(When reviewing event id 411 specifically within the security logs of the ADFS servers you will note two IP addresses "OriginIPAddress,MicrosoftExchangeOnlineIP"
We are running a hybrid environment with ADFS 3.0 on 2012 r2 and O365, AD domain is on 2008 r2.
We have a user base of approximately 700 users
This presents a couple of obvious issues.
Enabled advanced event logging for ADFS and processes, so I can see the IP addresses of logins through ADFS
Every day, I am processing through all of the 411 events within the security event logs and comsolidating it into a spreadsheet for easier consumption. (not a pretty process as I haven't completely fine tuned it yet)
Here's some of the things I am seeing for all of the foreign IP addresses
They are making attempts at approximately 400 account names.
The majority of attempts are performed in alphabetical order with occasional deviations
They are rate limiting what they are trying for the most part to only 4 or 5 attempts per account per day with occasional deviations which wind up triggering the extranet lockout for a given user.
Microsoft's online logging and monitoring of failures such as these is pretty much worthless or outright non-existent.
Limitations of my environment
We can't enable MFA across the board as the company wont supply mobile devices across the board and they find the cost for tokens too prohibitive.
Have contemplated blocking regional IP addresses but this presents it's own problems.
One, I can't block it at the firewall fronting the ADFS WAP as they are utilizing basic auth through Exchange Online so all we would see at the firewall is the Exchange Online IP addresses.
Two, can't enable conditional access due to it is design to be inclusive not exclusive, where the IPs specified are for known networks good networks. We have too many remote locations that are on some form of dynamic connection.
Three, I can't really block non-US ips as we routinely have execs traveling.
Sorry for the long winded description. Here is where the questions come in.
I am hunting for ideas
First, any ideas on how to mitigate this other than what was already provided?
Second, any one found a way to determine which protocols these authentication attempts are being made against Exchange Online? It logs client type for sucesses which allows you to do some tracking of client type but it does not provide any form of reporting or logging that I have found for failed attempts and there doesn't appear to be anything I can extract from AD FS logs.
Three, anyone found a way to fully monitor the Azure AD sign-ins? MS has their reporting and the online logging but I would like to have something monitor the Azure AD sign-ins for sucessful failures from foreign IP addresses and notify on these events. We don't have that many people that travel outside the country so it's easy to correlate to a given known user traveling.
Four, anyone else seeing something along these lines?
Thanks for your time,
-G
