question

UdatahuaHolaindka-7168 avatar image
0 Votes"
UdatahuaHolaindka-7168 asked anubhava commented

Is there a Microsoft best practice for changing the UPN to differ from the mail address, Azure Conditional Access Policy is failing us

Hi all

Our problem:
Currently Azure Active Directory is locking Office 365 user accounts based on the number of failed sign-ins. If the user credentials are entered incorrectly, it does not check or verify existing Azure Conditional Access Policy, whether this account can sign-in from that location (Country or IP address) or not, because the authentication was not successful.

The solution the Microsoft team supplies:
Conditional access policy will check location once first factor authentication (right username and password) is satisfied. Unfortunately, It doesn't take action as long as primary authentication is not happened successfully. One workaround is to change account UPN in order to prevent these kind of attacks. And they also pointed me to this link: https://feedback.azure.com/forums/34192--general-feedback/suggestions/40905253-prevent-account-lockout-due-to-brute-force-attack


My questions:
We are looking into changing the username/UPN but are finding contradicting information telling us the username must be the same as the mail address to have a pleasant user experience. And in an initial test we see an alias mail address is created that is identical to the changed UPN, seems to me this is also a security issue/will eventually cause our problem to return.

Some follow up questions:
- Can the UPN differ from the mail address with no negative impact on the user other then remembering a different username when logging on?
- Is there a Microsoft best practice for changing the UPN to differ from the mail address for our specific problem?
- Is there automation of some sort I can use, so I don’t have to change all the accounts by hand?
- Is changing the UPN a long term solution or is this something that a bad actor somehow can find, and we are back where we are now?

Hope someone here has answers, would be very grateful!


Best regards,

Udata hua Holaind ka

azure-ad-authenticationazure-ad-conditional-access
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am not sure but , you could use Azure Defender for identity . https://docs.microsoft.com/en-us/defender-for-identity/activities-search . with Azure firewall which can help you stop it . However it will ad to significant cost to the business.

0 Votes 0 ·

0 Answers