Nov 18 2022 09:56 AM
We have a conditional access policy that logs off accounts after 5 failed attempts.
We also have an international policy blocking all international countries and IPs.
unfortunately, these attempts on our accounts happen before our international blocks.
I have spent way too much time with Msoft support to get nowhere.
Does anyone know how to just block even the attempt of logging on from international countries?
Nov 18 2022 07:09 PM
@Dan MoranHi Dan. Conditional Access policies apply after first factor authentication, so the actor would need to have provided correct credentials before your Conditional Access policies will apply to the sign-in attempt.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access...
Nov 19 2022 03:37 PM
thank you very much for the response.
So how does anyone block outsiders from locking down accounts with any type of conditional access policy? This is what we are dealing with. Accounts get attacked and thus the get locked down. The policy is doing what we ask it to thankfully.
But how do you protect accounts from just being locked down almost like a DDos attack?
That is the discussion in another group I am with.
It just seems there should be some sort of rule that can apply if after x-amount of attempts, block the IP or country or something like that.
Dan
Dec 19 2022 08:28 PM
Dec 19 2022 09:32 PM
Dec 20 2022 05:02 AM
any help would be greatly appreciated. I will try to find the setting on my side as well.
Dec 21 2022 01:21 PM - edited Dec 21 2022 01:26 PM
Hi again , my access was revoked I got a screenshot here
I need to revisit this topic but this helped us to get accounts blocked before MFA
I'll see if I can get this going on my DEMO tenant to post it
Dec 22 2022 08:31 AM
This is very similar to policies we already have in place. But I did create a new one based on your settings and I just got kicked again by a location that was specifically named in this new policy. It also says this policy was not matched.
We have an AD policy that locks accounts after 5 bad attempts. It seems these attempts are triggering that policy before it can get to a policy like this.
The hope was to have policies like these in front of our 5 attempt lockout but that seem to be where the drop is.
Dan