Link to home
Start Free TrialLog in
Avatar of al4629740
al4629740Flag for United States of America

asked on

Failed attempts to login in Office 365 tenant

I am noticing in my Office 365 tenant that there are numerous "failed login attempts" on almost all the users in the company?  Why does this typically happen and what should I do to protect the company?  I'm wondering if its a bot trying to attempt a hack.

FYI, the main admin account is MFA so that is secure.  Should I consider putting a limit on attempts to login?  If so, how do I do that and will that prevent users from logging that currently have access?
Avatar of Kundan Gupta
Kundan Gupta
Flag of India image

I would suggest applying Conditional access policies by restricting those IP addresses if its coming form a specific region.

This happens when someone use password spray attack.
Avatar of al4629740

ASKER

How would I know what region is coming from
Browse to portal.azure.com > Azure Active Directory > Singn-in

Download reports and filter for Failure status and see the Source.

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
Easy fix, use one of the several Windows ports of Fail2Ban, such as https://github.com/glasnt/wail2ban or any other.

Fail2Ban works adaptively, on automatic, with no human intervention.

Just setup a rule to scan a log, then for any IP generating 3x bad logins over an hour or day or whatever time you like, block the IP for a day.
ASKER CERTIFIED SOLUTION
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial