SOLVED

Simple Question about CAS and CA Policies

%3CLINGO-SUB%20id%3D%22lingo-sub-896987%22%20slang%3D%22en-US%22%3ESimple%20Question%20about%20CAS%20and%20CA%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-896987%22%20slang%3D%22en-US%22%3E%3CP%3ESeveral%20of%20my%20Exchange%20online%20accounts%20are%20subject%20to%20frequent%20login%20attempts%20by%20various%20means.%26nbsp%3B%20Recently%20I%20have%20a%20bunch%20of%20attempts%20using%20IMAP%20from%20foreign%20countries.%26nbsp%3B%20IMAP%20is%20disabled%20for%20that%20account%2C%20but%20SMTP%20is%20allowed%20(for%20the%20time%20being).%20We%20we%20have%20one%20CA%20policy%20which%20applies%2C%20%2CBlocks%20login%20from%20foreign%20country.%20When%20I%20test%20using%20the%20What%20If%20tool%20these%20foreign%20logins%20using%20IMAP%20are%20indeed%20blocked.%20But%20yet%20the%20user%20account%20is%20getting%20locked%20and%20the%20logs%20show%20multiple%20breakin%20attempts.%26nbsp%3B%20What%20is%20going%20on%3F%26nbsp%3B%20Shouldn't%20the%20CA%20policy%20and%20IMAP%20restriction%20prevent%20the%20login%20attempt%20from%20the%20first%20place%2C%20or%20will%20the%20log%20continue%20to%20grow%20with%20failed%20logins%20from%20IMAP%20while%20locking%20the%20account%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-896987%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-897326%22%20slang%3D%22en-US%22%3ERe%3A%20Simple%20Question%20about%20CAS%20and%20CA%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-897326%22%20slang%3D%22en-US%22%3E%3CP%3EBest%20configure%20an%20authentication%20policy%20in%20Exchange%2C%20it%20stops%20those%20attempts%20before%20they%20even%20hit%20AAD%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fclients-and-mobile-in-exchange-online%2Fdisable-basic-authentication-in-exchange-online%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-900937%22%20slang%3D%22en-US%22%3ERe%3A%20Simple%20Question%20about%20CAS%20and%20CA%20Policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-900937%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BThanks%20very%20much.%20Because%20of%20your%20comment%20I%20looked%20up%20the%20method%20to%20create%20and%20apply%20a%20new%20authentication%20policy.%20I%20made%20one%20that%20blocked%20all%20basic%20authentication%2C%20then%20modified%20it%20to%20allow%20authenticated%20SMTP.%20Then%20I%20applied%20it%20on%20a%20per%20user%20basis.%26nbsp%3B%20This%20seemed%20to%20work%20well%20and%20like%20you%20said%20it%20should%20stop%20it%20before%20it%20gets%20into%20the%20Azure%20AD.%26nbsp%3B%20Thanks%20so%20much.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Several of my Exchange online accounts are subject to frequent login attempts by various means.  Recently I have a bunch of attempts using IMAP from foreign countries.  IMAP is disabled for that account, but SMTP is allowed (for the time being). We we have one CA policy which applies, ,Blocks login from foreign country. When I test using the What If tool these foreign logins using IMAP are indeed blocked. But yet the user account is getting locked and the logs show multiple breakin attempts.  What is going on?  Shouldn't the CA policy and IMAP restriction prevent the login attempt from the first place, or will the log continue to grow with failed logins from IMAP while locking the account? 

2 Replies
Best Response confirmed by Jim_Hill (Occasional Contributor)
Solution

Best configure an authentication policy in Exchange, it stops those attempts before they even hit AAD: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authen...

@Vasil Michev Thanks very much. Because of your comment I looked up the method to create and apply a new authentication policy. I made one that blocked all basic authentication, then modified it to allow authenticated SMTP. Then I applied it on a per user basis.  This seemed to work well and like you said it should stop it before it gets into the Azure AD.  Thanks so much.