Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Blocking International Countries

Copper Contributor

We have a conditional access policy that logs off accounts after 5 failed attempts.

We also have an international policy blocking all international countries and IPs.

unfortunately, these attempts on our accounts happen before our international blocks.

I have spent way too much time with Msoft support to get nowhere.

 

Does anyone know how to just block even the attempt of logging on from international countries?

7 Replies

@Dan MoranHi Dan. Conditional Access policies apply after first factor authentication, so the actor would need to have provided correct credentials before your Conditional Access policies will apply to the sign-in attempt.

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access...

@KernelCaleb 

thank you very much for the response.

So how does anyone block outsiders from locking down accounts with any type of conditional access policy?  This is what we are dealing with.  Accounts get attacked and thus the get locked down.  The policy is doing what we ask it to thankfully.  

But how do you protect accounts from just being locked down almost like a DDos attack?

That is the discussion in another group I am with.  

It just seems there should be some sort of rule that can apply if after x-amount of attempts, block the IP or country or something like that.

 

Dan

I follow what you're saying and this article https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access... , states that "Conditional Access policies are enforced after first-factor authentication is completed. Conditional Access isn't intended to be an organization's first line of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access."
I also wonder what people are doing around this, what would be a great recommendation here and what's on MSFT roadmap for this specific scenario.

Cheers,
Thiago Beier
hi again Dan Moran, I did remember leveraging MCAS (CASB) to block from "blocked countries" all access to https://portal.office.com , once and the client liked because that reduced the accounts lockouts , I'll check if I still have it documented to share.

@Thiago Beier 

any help would be greatly appreciated.  I will try to find the setting on my side as well.

Hi again , my access was revoked I got a screenshot here
I need to revisit this topic but this helped us to get accounts blocked before MFA

I'll see if I can get this going on my DEMO tenant to post it 

@Dan Moran 

@Thiago Beier 

This is very similar to policies we already have in place.  But I did create a new one based on your settings and I just got kicked again by a location that was specifically named in this new policy.  It also says this policy was not matched.

We have an AD policy that locks accounts after 5 bad attempts.  It seems these attempts are triggering that policy before it can get to a policy like this.

The hope was to have policies like these in front of our 5 attempt lockout but that seem to be where the drop is.

 

Dan