daniel munoz
asked on
prevent unauthorized login attempts on O365
office 365 conditional access rules have the ability to limit access but how do you stop multiple failed attempts to cause account lockout?
My CA rules work in that users cannot login successfully from the wrong IP or GEO but can still create failed attempts.
My CA rules work in that users cannot login successfully from the wrong IP or GEO but can still create failed attempts.
The aim is not to stop unauthorized attempts but to stop unauthorized access enable and enforce multifactor authentication using modern authentication.
ASKER
How do you deal with the constant account lockouts then? it's causing interruptions as users cannot login back into outlook or mobile mail because the account is locked out for xx time period. currently lockouts settings are after 2 failed password attempts and then 10 minute lockout. The bots are returning hourly to create another lockout.
I was hoping to find a policy that dropped connection attempts from non-trusted IP's or devices.
I was hoping to find a policy that dropped connection attempts from non-trusted IP's or devices.
Have you tried setting up a conditional access policy?
https://www.michev.info/Blog/Post/2186/limiting-access-to-office-365-by-country
https://www.michev.info/Blog/Post/2186/limiting-access-to-office-365-by-country
ASKER
yes, CA Policies prevent unauthorized access but not authorized attempts that lead to account lockout. Not worried about access with current policies and MFA, but still suffer from accounts getting locked out due to many failed attempts.
Other policies in place include on modern authentication allowed (no imap, pop and smtp)
Testing from untrusted locations results in the following:
good password= MS popup stating you are not authorized to login from this location.
bad usernames and password = after designated number of login attempt account gets locked out then users iphone connects with proper auth and server asks for password as the account is in lockout status for the next xx minutes.
So, what I am trying to communicate is that my CA and other policies do successfully limit access to desired GEO and IP's they do not prevent account lockout created by the continuous login attempts.
It's like a PITA denial of service with continuous login attempts from untrusted locations.
Other policies in place include on modern authentication allowed (no imap, pop and smtp)
Testing from untrusted locations results in the following:
good password= MS popup stating you are not authorized to login from this location.
bad usernames and password = after designated number of login attempt account gets locked out then users iphone connects with proper auth and server asks for password as the account is in lockout status for the next xx minutes.
So, what I am trying to communicate is that my CA and other policies do successfully limit access to desired GEO and IP's they do not prevent account lockout created by the continuous login attempts.
It's like a PITA denial of service with continuous login attempts from untrusted locations.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.