Cloud App Security IP block in Conjunction with Azure AD Conditional Access Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-795092%22%20slang%3D%22en-US%22%3ECloud%20App%20Security%20IP%20block%20in%20Conjunction%20with%20Azure%20AD%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-795092%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20conditional%20access%20policy%20which%20rejects%20Office%20365%20logins%20from%20IP's%20probably%20located%20outside%20of%20the%20US%20(and%20Bahamas%2C%20Canada).%26nbsp%3B%20I%20still%20see%20alerts%20in%20Cloud%20App%20Security%20when%20foreign%20hackers%20attempt%20to%20log%20into%20various%20Office%20365%20accounts%20from%20those%20regions.%20We%20have%20MFA%20on%20all%20admin%20accounts%20and%20most%20others%20as%20well.%26nbsp%3B%20Question%2C%20why%20does%20Cloud%20App%20Security%20flag%20those%20login%20attempts%20when%20we%20already%20have%20a%20conditional%20access%20policy%20blocking%20those%20regions%3F%26nbsp%3B%20Is%20there%20some%20kind%20of%20ordering%20that%20happens%20with%20these%20rules%3F%26nbsp%3B%20%26nbsp%3BI%20notice%20that%20when%20I%20block%20the%20IP%20(make%20it%20Risky%2C%20a%20conditional%20access%20policy%20also%20blocks%20all%20risky%20IP%20logins)%2C%20the%20attack%20goes%20away%20until%20they%20try%20another%20IP.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-795092%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-803213%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20App%20Security%20IP%20block%20in%20Conjunction%20with%20Azure%20AD%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-803213%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F88309%22%20target%3D%22_blank%22%3E%40Jim%20Hill%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20you%20elaborate%20on%20the%20alerts%20you%20are%20seeing%20in%20Cloud%20App%20Security%3F%20Is%20it%20one%20of%20the%20anomaly%20detection%20alerts%20such%20as%20'Risky%20Sign%20in'%2C%20'Activity%20from%20anonymous%20IP%20address'%2C%20or%20'Multiple%20failed%20login%20attempts'%3F%20Or%20is%20this%20an%20access%20policy%20you%20have%20in%20place%20in%20MCAS%20that%20corresponds%20to%20your%20Azure%20AD%20Conditional%20Access%20Policy%3F%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-804415%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20App%20Security%20IP%20block%20in%20Conjunction%20with%20Azure%20AD%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-804415%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F222323%22%20target%3D%22_blank%22%3E%40Anisha%20Gupta%3C%2FA%3E%26nbsp%3Bwe%20have%20the%20Cloud%20App%20Security%20set%20to%20alert%20only%20on%20the%20rule%20which%20fires%20when%20it%20sees%20%3CSTRONG%3Emultiple%20failed%20login%20attempts%3C%2FSTRONG%3E.%20This%20usually%20come%20from%20outside%20of%20our%20region%2C%20so%20I%20thought%20that%20any%20login%20attempt%20would%20first%20be%20blocked%20in%20Azure%20AD%20by%20having%20a%20conditional%20access%20policy%20blocking%20any%20login%20from%20outside%20of%20our%20region.%26nbsp%3B%20I%20am%20guessing%20that%20the%20conditional%20access%20policy%20allows%20the%20user%20outside%20of%20the%20region%20to%20attempt%20to%20login%2C%20but%20just%20blocks%20it%20at%20that%20point%2C%20so%20it%20then%20shows%20in%20the%20Cloud%20App%20Security%20alert.%26nbsp%3B%20Once%20we%20add%20that%20IP%20address%20as%20a%20risky%20IP%20it%20is%20blocked%20thereafter.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-805406%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20App%20Security%20IP%20block%20in%20Conjunction%20with%20Azure%20AD%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-805406%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F222323%22%20target%3D%22_blank%22%3E%40Anisha%20Gupta%3C%2FA%3E%26nbsp%3B%20I%20think%20I%20see%20what%20was%20happening.%26nbsp%3B%20I%20had%20only%20a%20subset%20of%20users%20to%20which%20the%20conditional%20access%20policy%20%22block%20login%20from%20risky%20IP's.%22%26nbsp%3B%20Once%20I%20expanded%20that%20rule%20I%20see%20that%20by%20using%20the%20What%20If%20tool%20that%20the%20login%20attempt%20was%20blocked.%26nbsp%3B%20Regardless%2C%20my%20users%20know%20to%20reject%20and%20report%20any%20incident%20during%20which%20they%20see%20an%20MFA%20authentication%20request%20on%20their%20smart%20phone%20apps%20since%20that%20would%20mean%20that%20the%20login%20passed%20the%20password%20authentication%20portion.%20We%20also%20have%20branding%20all%20over%20our%20sign%20in%20page%20so%20hopefully%20between%20that%2C%20the%20various%20rules%2C%20and%20Bitdefender%20we%20hope%20to%20minimize%20breaches.%26nbsp%3B%20Thanks%20for%20looking%20at%20this.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

I have a conditional access policy which rejects Office 365 logins from IP's probably located outside of the US (and Bahamas, Canada).  I still see alerts in Cloud App Security when foreign hackers attempt to log into various Office 365 accounts from those regions. We have MFA on all admin accounts and most others as well.  Question, why does Cloud App Security flag those login attempts when we already have a conditional access policy blocking those regions?  Is there some kind of ordering that happens with these rules?   I notice that when I block the IP (make it Risky, a conditional access policy also blocks all risky IP logins), the attack goes away until they try another IP.  

3 Replies

@Jim Hill 

Can you elaborate on the alerts you are seeing in Cloud App Security? Is it one of the anomaly detection alerts such as 'Risky Sign in', 'Activity from anonymous IP address', or 'Multiple failed login attempts'? Or is this an access policy you have in place in MCAS that corresponds to your Azure AD Conditional Access Policy?  

@Anisha Gupta we have the Cloud App Security set to alert only on the rule which fires when it sees multiple failed login attempts. This usually come from outside of our region, so I thought that any login attempt would first be blocked in Azure AD by having a conditional access policy blocking any login from outside of our region.  I am guessing that the conditional access policy allows the user outside of the region to attempt to login, but just blocks it at that point, so it then shows in the Cloud App Security alert.  Once we add that IP address as a risky IP it is blocked thereafter.   

@Anisha Gupta  I think I see what was happening.  I had only a subset of users to which the conditional access policy "block login from risky IP's."  Once I expanded that rule I see that by using the What If tool that the login attempt was blocked.  Regardless, my users know to reject and report any incident during which they see an MFA authentication request on their smart phone apps since that would mean that the login passed the password authentication portion. We also have branding all over our sign in page so hopefully between that, the various rules, and Bitdefender we hope to minimize breaches.  Thanks for looking at this.