Forum Discussion

Jim Hill's avatar
Jim Hill
Brass Contributor
Aug 08, 2019

Cloud App Security IP block in Conjunction with Azure AD Conditional Access Policy

I have a conditional access policy which rejects Office 365 logins from IP's probably located outside of the US (and Bahamas, Canada).  I still see alerts in Cloud App Security when foreign hackers a...
Cloud App Security
Jim Hill's avatar
Jim Hill
Brass Contributor
Apr 12, 2022

kkalra  Yep, that is my thinking too. The CA policy actually is fired only after a hacker makes their breach and they would then be prevented from access at that point. I am wondering about a few things now:

  • What is the impact of flagging an IP or CIDR range as "risky" when investigating events in Cloud App Security?  Does this then just flag future events from that login attempt as coming from a risky IP address or does it do any sort of blocking?  I guess that it would feed this tag info over to Azure Sentinel. 
  • What is the impact of adding IP's and CIDR range to the connection filter policy in Microsoft Defender / Threat Policies / Anti-spam policies?  I know from experience that senders with that mail server IP are indeed prevented from sending out domain email because once I accidentally listed an IP for one of our customer's email servers and their emails to us bounced.  I can tell you that if you use a tool like AdminDroid and audit the login attempts you will see attempted logins for invalid usernames (meaning that the UPN does not exist in our AD domain) and when you block these in the connection filter policy you then don't see future attempts from this IP - or so it seems to me!  
kkalra's avatar
kkalra
Copper Contributor
Apr 13, 2022

Jim Hill thank you for your insight. I explored the two options 

 

  1. Flagging the IP/s as Risky will be useful when linked to a CloudAppSecurity Policy. https://argonsys.com/microsoft-cloud/library/cloud-app-security-block-tor-browser-anonymous-ip/ 

    Now, looking at the Activity logs, I mark IP as 'Set as Risky IP and add to denylist'. I assume it feeds in Threat detection list of bad IP's.

    I still see failed sign-in attempts on AAD sign-in logs, and no alerts in CloudAppSecurity policy.

  2. In regards to https://security.microsoft.com/antispam
    It is used for email filtering (allow/block messages) to control the emails landing in users inbox. https://www.youtube.com/watch?v=cw2O093bubg
    I do not use AdminDroid hence not aware of those features.

 

All these actions discussed gets triggered after a sign-in attempt has been made.

Another failed instance

- Legacy authentication is blocked, however on failed sign-in one of the attempts is using IMAP4. 

 

Resources