Share via

Prevent Azuzre password spray attack.

brichardi 361 Reputation points
2022-12-22T14:37:34.157+00:00

Hello Azure Guru,

I work in a K-12 environment, and we are currently experience Azure password spray attack. Right now everyone can access azure portal from either inside or outside of the network.

My question is if we create conditional access and force users to access Azure portal from the inside only, will it eliminate the issue of Azure password spray attack?

Thanks for your help.

If I am in the wrong discussion group, can you tell me the correct discussion group for my question.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Dillon Silzer 57,831 Reputation points Volunteer Moderator
    2022-12-22T16:28:50.42+00:00

    Hi @brichardi

    Please take a look at using Conditional Access Policies to restrict IP addresses (with Named locations):

    Location condition in policy

    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition#location-condition-in-policy

    This would be ideal if you don't require your students to login outside of the school, but may not work if you need them to login at home. You could combo this together with a Student only Azure AD Dynamic group so that this only applies to Students (who don't have MFA enabled, assuming your staff do).

    As @!Daniel Bradley stated above, you cannot stop a spray attack as Conditional Access Policies are triggered AFTER the event (not before). You can however use what I mentioned to block outside countries from authenticating to mitigate some risk.

    ---------------------------------------------

    If this is helpful please accept answer.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. !Daniel Bradley 1,066 Reputation points
    2022-12-22T14:48:47.187+00:00

    No, it generally wouldn't. Conditional Access policies take effect AFTER the first-factor authentication (Password). So if they get the password correct, they would then be blocked, BUT they would know the correct password. This is an issue as most organisations may have another vector in to their network (outside of 365) that may use the same password without MFA.

    You should look into this: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/advancing-password-spray-attack-detection/ba-p/1276936.

    Azure AD P2 and Identity protection have some great features to help you with this problem.

  2. David Broggy 6,376 Reputation points MVP Volunteer Moderator
    2022-12-22T19:08:34.033+00:00

    Also consider looking at the smart lockout feature.
    This is an often overlooked feature in Azure AD which is VERY effective against mitigating password attacks.
    When under threat you should consider changing the default threshold to a very low number.
    For example if your current setting is 10 I would set it to 5, and change the duration to a longer period like 5 minutes.
    So after 5 wrong passwords for any user you would get a temporary lockout, making it very difficult to guess the password.

    Smart Lockout will also monitor the source IP and block activity from those IPs if it sees suspicious activity like password spraying.

    273407-image.png

    howto-password-smart-lockout

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.