Share via

Smart lockout issue on Azure

Jorge A 1 Reputation point
2022-12-16T09:54:08.867+00:00

Smart lockout is blocking an user because of a brute force attack. The user is being unlocked automatically correctly but the O365 applications are asking her for credentials all the time so the user cant work correctly. Is this a normal behavior? It seems like a DoS attack against the user account instead a brute force attack. Could anyone help us fixing this issue?

Azure DDos Protection
Azure DDos Protection
An Azure service that provides defense against distributed denial-of-service (DDoS) attacks.
68 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,535 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 17,656 Reputation points Microsoft Employee
    2022-12-23T09:47:41.57+00:00

    Hello @Jorge A ,

    I was able to review the description you have shared. Apart from Smart lockout password protection by default, Azure AD also protects against attacks by analyzing signals including IP traffic and identifying anomalous behavior. Azure AD will block these malicious sign-ins by default.

    This cause the user is blocked as soon as the policy is enforced. Any issued tokens are revoked. For CAE enabled resources, access is terminated near immediately. This cause the application to prompt for authentication.

    Apart from this if you feel this to be a DDOS attack, then Microsoft offers Azure DDoS Protection

    Azure DDoS Protection protects resources in a virtual network including public IP addresses associated with virtual machines, load balancers, and application gateways. When coupled with the Application Gateway web application firewall, or a third-party web application firewall deployed in a virtual network with a public IP, Azure DDoS Protection can provide full layer 3 to layer 7 mitigation capability.

    Kindly follow QuickStart for deployment.

    Thanks,
    Akshay Kaushik

    Please "Accept the answer", "Upvote" and rate your experience if the suggestion answers your query. This will help us and others in the community as well.

    0 comments
  2. Jorge A 1 Reputation point
    2022-12-26T13:33:20.293+00:00

    Hello @Akshay-MSFT ,

    Thank you for the answer. I think your description of the problem must be correct. Anyway, I don't think the purpose of the attack is a DoS but it seems like one because the consequences are that the user can't work normally. Any suggestion in the Azure configuration in order to allow the correctly user's daily work without losing security in our o365 tenant?

    Thanks!

    Regards,
    Jorge

    0 comments