We help IT Professionals succeed at work.

Failed attempts to login in Office 365 tenant

I am noticing in my Office 365 tenant that there are numerous "failed login attempts" on almost all the users in the company?  Why does this typically happen and what should I do to protect the company?  I'm wondering if its a bot trying to attempt a hack.

FYI, the main admin account is MFA so that is secure.  Should I consider putting a limit on attempts to login?  If so, how do I do that and will that prevent users from logging that currently have access?
Comment
Watch Question

Kundan GuptaLead Administrator

Commented:
I would suggest applying Conditional access policies by restricting those IP addresses if its coming form a specific region.

This happens when someone use password spray attack.

Author

Commented:
How would I know what region is coming from
Kundan GuptaLead Administrator

Commented:
Browse to portal.azure.com > Azure Active Directory > Singn-in

Download reports and filter for Failure status and see the Source.

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
David FavorFractional CTO
Distinguished Expert 2019

Commented:
Easy fix, use one of the several Windows ports of Fail2Ban, such as https://github.com/glasnt/wail2ban or any other.

Fail2Ban works adaptively, on automatic, with no human intervention.

Just setup a rule to scan a log, then for any IP generating 3x bad logins over an hour or day or whatever time you like, block the IP for a day.
Most Valuable Expert 2015
Distinguished Expert 2019
Commented:
The best thing you can possibly do here is disable basic authentication (where possible), which is what bad actors are usually trying to exploit. You can start by doing this for Exchange Online, via auth policies: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online

Or in general create a company-wide CA policy that blocks legacy auth.