Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,430 questions
Is there a Microsoft best practice for changing the UPN to differ from the mail address, Azure Conditional Access Policy is failing us
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 86%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUH%3C/text%3E%3C/svg%3E)
Udata hua Holaind ka
1
Reputation point
Hi all
Our problem:
Currently Azure Active Directory is locking Office 365 user accounts based on the number of failed sign-ins. If the user credentials are entered incorrectly, it does not check or verify existing Azure Conditional Access Policy, whether this account can sign-in from that location (Country or IP address) or not, because the authentication was not successful.
The solution the Microsoft team supplies:
Conditional access policy will check location once first factor authentication (right username and password) is satisfied. Unfortunately, It doesn't take action as long as primary authentication is not happened successfully. One workaround is to change account UPN in order to prevent these kind of attacks. And they also pointed me to this link: https://feedback.azure.com/forums/34192--general-feedback/suggestions/40905253-prevent-account-lockout-due-to-brute-force-attack
My questions:
We are looking into changing the username/UPN but are finding contradicting information telling us the username must be the same as the mail address to have a pleasant user experience. And in an initial test we see an alias mail address is created that is identical to the changed UPN, seems to me this is also a security issue/will eventually cause our problem to return.
Some follow up questions:
- Can the UPN differ from the mail address with no negative impact on the user other then remembering a different username when logging on?
- Is there a Microsoft best practice for changing the UPN to differ from the mail address for our specific problem?
- Is there automation of some sort I can use, so I don’t have to change all the accounts by hand?
- Is changing the UPN a long term solution or is this something that a bad actor somehow can find, and we are back where we are now?
Hope someone here has answers, would be very grateful!
Best regards,
Udata hua Holaind ka
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 77%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
ANUBHAV ADHYAYAN 81 Reputation points2021-06-06T18:05:01.263+00:00 I am not sure but , you could use Azure Defender for identity . https://learn.microsoft.com/en-us/defender-for-identity/activities-search . with Azure firewall which can help you stop it . However it will ad to significant cost to the business.
Sign in to comment