Cloud App Security IP block in Conjunction with Azure AD Conditional Access Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-795092%22%20slang%3D%22en-US%22%3ECloud%20App%20Security%20IP%20block%20in%20Conjunction%20with%20Azure%20AD%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-795092%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20conditional%20access%20policy%20which%20rejects%20Office%20365%20logins%20from%20IP's%20probably%20located%20outside%20of%20the%20US%20(and%20Bahamas%2C%20Canada).%26nbsp%3B%20I%20still%20see%20alerts%20in%20Cloud%20App%20Security%20when%20foreign%20hackers%20attempt%20to%20log%20into%20various%20Office%20365%20accounts%20from%20those%20regions.%20We%20have%20MFA%20on%20all%20admin%20accounts%20and%20most%20others%20as%20well.%26nbsp%3B%20Question%2C%20why%20does%20Cloud%20App%20Security%20flag%20those%20login%20attempts%20when%20we%20already%20have%20a%20conditional%20access%20policy%20blocking%20those%20regions%3F%26nbsp%3B%20Is%20there%20some%20kind%20of%20ordering%20that%20happens%20with%20these%20rules%3F%26nbsp%3B%20%26nbsp%3BI%20notice%20that%20when%20I%20block%20the%20IP%20(make%20it%20Risky%2C%20a%20conditional%20access%20policy%20also%20blocks%20all%20risky%20IP%20logins)%2C%20the%20attack%20goes%20away%20until%20they%20try%20another%20IP.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-795092%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-803213%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20App%20Security%20IP%20block%20in%20Conjunction%20with%20Azure%20AD%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-803213%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F88309%22%20target%3D%22_blank%22%3E%40Jim%20Hill%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20you%20elaborate%20on%20the%20alerts%20you%20are%20seeing%20in%20Cloud%20App%20Security%3F%20Is%20it%20one%20of%20the%20anomaly%20detection%20alerts%20such%20as%20'Risky%20Sign%20in'%2C%20'Activity%20from%20anonymous%20IP%20address'%2C%20or%20'Multiple%20failed%20login%20attempts'%3F%20Or%20is%20this%20an%20access%20policy%20you%20have%20in%20place%20in%20MCAS%20that%20corresponds%20to%20your%20Azure%20AD%20Conditional%20Access%20Policy%3F%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-804415%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20App%20Security%20IP%20block%20in%20Conjunction%20with%20Azure%20AD%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-804415%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F222323%22%20target%3D%22_blank%22%3E%40Anisha%20Gupta%3C%2FA%3E%26nbsp%3Bwe%20have%20the%20Cloud%20App%20Security%20set%20to%20alert%20only%20on%20the%20rule%20which%20fires%20when%20it%20sees%20%3CSTRONG%3Emultiple%20failed%20login%20attempts%3C%2FSTRONG%3E.%20This%20usually%20come%20from%20outside%20of%20our%20region%2C%20so%20I%20thought%20that%20any%20login%20attempt%20would%20first%20be%20blocked%20in%20Azure%20AD%20by%20having%20a%20conditional%20access%20policy%20blocking%20any%20login%20from%20outside%20of%20our%20region.%26nbsp%3B%20I%20am%20guessing%20that%20the%20conditional%20access%20policy%20allows%20the%20user%20outside%20of%20the%20region%20to%20attempt%20to%20login%2C%20but%20just%20blocks%20it%20at%20that%20point%2C%20so%20it%20then%20shows%20in%20the%20Cloud%20App%20Security%20alert.%26nbsp%3B%20Once%20we%20add%20that%20IP%20address%20as%20a%20risky%20IP%20it%20is%20blocked%20thereafter.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-805406%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20App%20Security%20IP%20block%20in%20Conjunction%20with%20Azure%20AD%20Conditional%20Access%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-805406%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F222323%22%20target%3D%22_blank%22%3E%40Anisha%20Gupta%3C%2FA%3E%26nbsp%3B%20I%20think%20I%20see%20what%20was%20happening.%26nbsp%3B%20I%20had%20only%20a%20subset%20of%20users%20to%20which%20the%20conditional%20access%20policy%20%22block%20login%20from%20risky%20IP's.%22%26nbsp%3B%20Once%20I%20expanded%20that%20rule%20I%20see%20that%20by%20using%20the%20What%20If%20tool%20that%20the%20login%20attempt%20was%20blocked.%26nbsp%3B%20Regardless%2C%20my%20users%20know%20to%20reject%20and%20report%20any%20incident%20during%20which%20they%20see%20an%20MFA%20authentication%20request%20on%20their%20smart%20phone%20apps%20since%20that%20would%20mean%20that%20the%20login%20passed%20the%20password%20authentication%20portion.%20We%20also%20have%20branding%20all%20over%20our%20sign%20in%20page%20so%20hopefully%20between%20that%2C%20the%20various%20rules%2C%20and%20Bitdefender%20we%20hope%20to%20minimize%20breaches.%26nbsp%3B%20Thanks%20for%20looking%20at%20this.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

I have a conditional access policy which rejects Office 365 logins from IP's probably located outside of the US (and Bahamas, Canada).  I still see alerts in Cloud App Security when foreign hackers attempt to log into various Office 365 accounts from those regions. We have MFA on all admin accounts and most others as well.  Question, why does Cloud App Security flag those login attempts when we already have a conditional access policy blocking those regions?  Is there some kind of ordering that happens with these rules?   I notice that when I block the IP (make it Risky, a conditional access policy also blocks all risky IP logins), the attack goes away until they try another IP.  

6 Replies

@Jim Hill 

Can you elaborate on the alerts you are seeing in Cloud App Security? Is it one of the anomaly detection alerts such as 'Risky Sign in', 'Activity from anonymous IP address', or 'Multiple failed login attempts'? Or is this an access policy you have in place in MCAS that corresponds to your Azure AD Conditional Access Policy?  

@Anisha Gupta we have the Cloud App Security set to alert only on the rule which fires when it sees multiple failed login attempts. This usually come from outside of our region, so I thought that any login attempt would first be blocked in Azure AD by having a conditional access policy blocking any login from outside of our region.  I am guessing that the conditional access policy allows the user outside of the region to attempt to login, but just blocks it at that point, so it then shows in the Cloud App Security alert.  Once we add that IP address as a risky IP it is blocked thereafter.   

@Anisha Gupta  I think I see what was happening.  I had only a subset of users to which the conditional access policy "block login from risky IP's."  Once I expanded that rule I see that by using the What If tool that the login attempt was blocked.  Regardless, my users know to reject and report any incident during which they see an MFA authentication request on their smart phone apps since that would mean that the login passed the password authentication portion. We also have branding all over our sign in page so hopefully between that, the various rules, and Bitdefender we hope to minimize breaches.  Thanks for looking at this. 

#Microsoft #CloudAppSecurity 

What's happening here is users are paying for a premium fee for a feature 'Cloud Security App' where Microsoft is failing to provide service to its own dashboard. It is like going through your Windows logs on Event viewer. 

  • It also gives you alerts from Microsoft server
    i.e. Your file was accessed by Teams on US Microsoft Server (eeehhh!)
  • It gives you false alerts from failed sign-in.
    Is it really a CloudAppSecurity alert? No, you cannot fix it (even if you mark it as false +ve)
    i.e. Conditional access is blocking the sign-in attempt and that information is logged in AAD user sign-in alerts. 
  • Similary 'Top users to investigate' score is wrong. As all the attempts are false +ve's, hence dropping your compliance score.

Concluding that a user will have a hard time monitoring the logs or will switch to another solution. 
The ideal solution though would be to have option to upload a list of suspecious IP's, where user get brute force attacks to be blocked from attempting to login. 

Edit - Issue is noted since 2019 and yet the same till date. Good luck!

@kkalra  Yep, that is my thinking too. The CA policy actually is fired only after a hacker makes their breach and they would then be prevented from access at that point. I am wondering about a few things now:

  • What is the impact of flagging an IP or CIDR range as "risky" when investigating events in Cloud App Security?  Does this then just flag future events from that login attempt as coming from a risky IP address or does it do any sort of blocking?  I guess that it would feed this tag info over to Azure Sentinel. 
  • What is the impact of adding IP's and CIDR range to the connection filter policy in Microsoft Defender / Threat Policies / Anti-spam policies?  I know from experience that senders with that mail server IP are indeed prevented from sending out domain email because once I accidentally listed an IP for one of our customer's email servers and their emails to us bounced.  I can tell you that if you use a tool like AdminDroid and audit the login attempts you will see attempted logins for invalid usernames (meaning that the UPN does not exist in our AD domain) and when you block these in the connection filter policy you then don't see future attempts from this IP - or so it seems to me!  

@Jim Hill thank you for your insight. I explored the two options 

 

  1. Flagging the IP/s as Risky will be useful when linked to a CloudAppSecurity Policy. Reference article 

    Now, looking at the Activity logs, I mark IP as 'Set as Risky IP and add to denylist'. I assume it feeds in Threat detection list of bad IP's.

    I still see failed sign-in attempts on AAD sign-in logs, and no alerts in CloudAppSecurity policy.

  2. In regards to Connection filter Policy.
    It is used for email filtering (allow/block messages) to control the emails landing in users inbox. Reference link
    I do not use AdminDroid hence not aware of those features.

 

All these actions discussed gets triggered after a sign-in attempt has been made.

Another failed instance

- Legacy authentication is blocked, however on failed sign-in one of the attempts is using IMAP4.