Login attempts using Password Hash Sync

Question

First of all legacy auth is blocked, all other countries are blocked, MFA is enforced for everyone, and other risk factors block access.

The issue is Password Hash Sync that's used to support Hybrid Azure AD doesn't trigger any conditional access policies. So I have thousands of malicious logins all over the globe trying to login to users accounts with Password Hash Sync. This triggers smart lock out which does it's thing and locks people out for a brief time and blocks the IP eventually but is annoying. Is there really no method for blocking these?

Answer 1

Hello @DutchIvan ,

I would suggest to use the trusted location IP address ranges. Make a policy to block access for location and exclude the trusted IP named location from the same.

This would block any request from non-trusted IP ranges.

Named locations defined by IPv4/IPv6 address ranges are subject to the following limitations:

• Configure up to 195 named locations
• Configure up to 2000 IP ranges per named location
• Both IPv4 and IPv6 ranges are supported
• Private IP ranges can't be configured
• The number of IP addresses contained in a range is limited. Only CIDR masks greater than /8 are allowed when defining an IP range.

Apart from this if the devices are hybrid AD joined you could use Require Hybrid Azure AD joined device and for mobile devices you could use Require device to be marked as compliant if you are using MEM( Intune). This would immediately block access from devices not meeting the criteria.

Please do let me know if you have any queries in the comments section.

Thanks,
Akshay Kaushik

Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.

Answer 2

We have the same problem, and configured in the same way where we only alow trusted IP's. Did you get and answer in the end?Microsoft can you help here?

Thanks,

Mike