Currently Azure Active Directory is locking Office 365 user accounts based on the number of failed sign-ins. If the user credentials are entered incorrectly, it does not check or verify existing Azure Conditional Access Policy, whether this account can sign-in from that location (Country or IP address) or not, because the authentication was not successful.
The solution the Microsoft team supplies:
Conditional access policy will check location once first factor authentication (right username and password) is satisfied. Unfortunately, It doesn't take action as long as primary authentication is not happened successfully. One workaround is to change account UPN in order to prevent these kind of attacks. And they also pointed me to this link: https://feedback.azure.com/forums/34192--general-feedback/suggestions/40905253-prevent-account-lockout-due-to-brute-force-attack
We are looking into changing the username/UPN but are finding contradicting information telling us the username must be the same as the mail address to have a pleasant user experience. And in an initial test we see an alias mail address is created that is identical to the changed UPN, seems to me this is also a security issue/will eventually cause our problem to return.
Some follow up questions:
- Can the UPN differ from the mail address with no negative impact on the user other then remembering a different username when logging on?
- Is there a Microsoft best practice for changing the UPN to differ from the mail address for our specific problem?
- Is there automation of some sort I can use, so I don’t have to change all the accounts by hand?
- Is changing the UPN a long term solution or is this something that a bad actor somehow can find, and we are back where we are now?
Hope someone here has answers, would be very grateful!
Udata hua Holaind ka