We have an on-premise Active Directory that is synced with Azure AD via Azure AD Sync. We have conditional access policies setup to prevent anyone outside of the United States from being able to access the system.
We've come across a problem where staff are getting locked out of their accounts because of multiple failed attempts to login to their accounts with a bad password. These attempts are coming from outside the United States and conditional access is not being checked. In our testing, it appears that conditional access is only checked after a SUCCESSFUL login attempt.
Is there a way to prevent login attempts entirely if coming from outside of the United States? Or is there a way to prevent staff from being constantly locked out without allowing the bad actors unlimited attempts onto their account?