Aug 08 2019 05:38 AM
Aug 08 2019 05:38 AM
I have a conditional access policy which rejects Office 365 logins from IP's probably located outside of the US (and Bahamas, Canada). I still see alerts in Cloud App Security when foreign hackers attempt to log into various Office 365 accounts from those regions. We have MFA on all admin accounts and most others as well. Question, why does Cloud App Security flag those login attempts when we already have a conditional access policy blocking those regions? Is there some kind of ordering that happens with these rules? I notice that when I block the IP (make it Risky, a conditional access policy also blocks all risky IP logins), the attack goes away until they try another IP.
Aug 13 2019 11:36 AM
Can you elaborate on the alerts you are seeing in Cloud App Security? Is it one of the anomaly detection alerts such as 'Risky Sign in', 'Activity from anonymous IP address', or 'Multiple failed login attempts'? Or is this an access policy you have in place in MCAS that corresponds to your Azure AD Conditional Access Policy?
Aug 14 2019 04:50 AM
@Anisha Gupta we have the Cloud App Security set to alert only on the rule which fires when it sees multiple failed login attempts. This usually come from outside of our region, so I thought that any login attempt would first be blocked in Azure AD by having a conditional access policy blocking any login from outside of our region. I am guessing that the conditional access policy allows the user outside of the region to attempt to login, but just blocks it at that point, so it then shows in the Cloud App Security alert. Once we add that IP address as a risky IP it is blocked thereafter.
Aug 14 2019 12:14 PM
@Anisha Gupta I think I see what was happening. I had only a subset of users to which the conditional access policy "block login from risky IP's." Once I expanded that rule I see that by using the What If tool that the login attempt was blocked. Regardless, my users know to reject and report any incident during which they see an MFA authentication request on their smart phone apps since that would mean that the login passed the password authentication portion. We also have branding all over our sign in page so hopefully between that, the various rules, and Bitdefender we hope to minimize breaches. Thanks for looking at this.
Apr 12 2022 06:49 AM - edited Apr 12 2022 06:51 AM
What's happening here is users are paying for a premium fee for a feature 'Cloud Security App' where Microsoft is failing to provide service to its own dashboard. It is like going through your Windows logs on Event viewer.
Concluding that a user will have a hard time monitoring the logs or will switch to another solution.
The ideal solution though would be to have option to upload a list of suspecious IP's, where user get brute force attacks to be blocked from attempting to login.
Edit - Issue is noted since 2019 and yet the same till date. Good luck!
Apr 12 2022 07:00 AM
@kkalra Yep, that is my thinking too. The CA policy actually is fired only after a hacker makes their breach and they would then be prevented from access at that point. I am wondering about a few things now:
Apr 13 2022 09:40 AM - edited Apr 13 2022 10:02 AM
@Jim Hill thank you for your insight. I explored the two options
All these actions discussed gets triggered after a sign-in attempt has been made.
Another failed instance
- Legacy authentication is blocked, however on failed sign-in one of the attempts is using IMAP4.