Azure AD Conditional Access Policy Country Blocking

Question

Country blocking has been working well in regards to not allowing access from countries that are not approved. However, with country blocking we still get numerous login attempts from malicious users from countries that are blocked that trigger either an account lock or require the user to re-authenticate which is very cumbersome.

Any guidance would be appreciated, thank you.

Answer 1

Hi @DutchIvan

Check your policies with Cloud App Security:

1) Go to https://portal.cloudappsecurity.com/

2) Go to Control > Policies

3) Open the following policies:

4) Check your Governance actions (and I'd recommend to uncheck the following unless you want this type of behaviour to continue disrupting your users):

Note: If you have a tight security policy, keep these checked, but I happen to have the same thing going on and if this is checked off it is creating a kind of DoS (Denial of Service) attack.

---

If this is helpful please accept answer.

Answer 2

DillonJS,

Thanks for the thoughtful reply with screenshots. That is a great idea to look at and illuminated something else I need to look into. I don't have those governance options I can only select office 365 which has two options under it suspend and confirm user compromised. So I will look at our settings to see if I am missing something.

Anyway the actual solution was an issue we had with a conditional access policy that we had set to block legacy authentication. Other clients like POP, IMAP, SMTP were being blocked but didn't check Exchange ActiveSync authentication requests. Enabling this cut about 700 malicious login attempts a day and ultimately will prevent users from getting locked out with that method.