question

AndrewAcuna-5774 avatar image
0 Votes"
AndrewAcuna-5774 asked MarileeTurscak-MSFT answered

Accounts getting locked out

We have an on-premise Active Directory that is synced with Azure AD via Azure AD Sync. We have conditional access policies setup to prevent anyone outside of the United States from being able to access the system.

We've come across a problem where staff are getting locked out of their accounts because of multiple failed attempts to login to their accounts with a bad password. These attempts are coming from outside the United States and conditional access is not being checked. In our testing, it appears that conditional access is only checked after a SUCCESSFUL login attempt.

Is there a way to prevent login attempts entirely if coming from outside of the United States? Or is there a way to prevent staff from being constantly locked out without allowing the bad actors unlimited attempts onto their account?

azure-active-directoryazure-ad-authentication
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak-MSFT avatar image
1 Vote"
MarileeTurscak-MSFT answered

Hi @AndrewAcuna-5774,

Geo-IP blocking is probably the best way to do this. To block specific countries you can set up custom rules and security policies, and then restrict the access to your web applications by country or region. To create a geo-filtering custom rule, select "Geo-location" as the Match Type, and then select the country you want to allow/block from your application.

(See Geomatch Custom Rules and Front Door Geo Filtering.)

As you correctly noted, conditional access for MFA only blocks second-factor authentication and does not block first-factor authentication.

Another option that will give you part of what you need is to use Identity Protection to watch accounts for abnormal behavior. It doesn't exclude IPs of specific countries but does catch and block suspicious login attempts. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.