Share via

Unknown logins originating from Microsoft IPs locking out accounts

John Nickle 0 Reputation points
2024-01-08T17:28:15.89+00:00

Hello! We are seeing a few users getting internal accounts locked out, seemingly from external requests hitting ADFS. I have attempted to set up a conditional policy to stop the requests but it still seems to count as a bad log in and will lock the account. How can I identify where these log in requests are coming from or, better yet, how to stop them from hitting the ADFS server and locking accounts? Update: I am limited to one attachment, but the location tab shows an IP address of 52.96.29.61 and an ASN of 8075.

Thanks!

John

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,534 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Broggy 5,701 Reputation points MVP
    2024-01-08T21:28:52.1366667+00:00

    Hi John,

    If you're using Smart Lockout on Azure AD you can set a lockout threshold, and even if the user gets locked out it should reset and allow access after the defined duration.

    https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout

    A similar feature is described above for AD FS - smart lockout.

    Hope that helps.

    0 comments
  2. Sandeep G-MSFT 16,691 Reputation points Microsoft Employee
    2024-01-10T10:12:13.5833333+00:00

    @John Nickle

    Thank you for posting this in Microsoft Q&A.

    The IP address that you have mentioned in your query is Microsoft IP address. This address gets tracked in sign-in logs when there is a any Azure services which are accessed.

    About the user accounts getting locked out in On-premise active directory, you can stop this from happening in ADFS itself.

    In AD FS on Windows Server 2012 R2 onwards, we introduced a security feature called Extranet Lockout. With this feature, AD FS will "stop" authenticating the "malicious" user account from outside for a period of time. This prevents your user accounts from being locked out in Active Directory. In addition to protecting your users from an AD account lockout, AD FS extranet lockout also protects against brute force password guessing attacks.

    This feature only works for the extranet scenario where the authentication requests come through the Web Application Proxy and only applies to username and password authentication.

    Advantages of Extranet lockout

    Extranet lockout provides the following key advantages:

    • It protects your user accounts from brute force attacks where an attacker tries to guess a user's password by continuously sending authentication requests. In this case, AD FS will lock out the malicious user account for extranet access
    • It protects your user accounts from malicious account lockout where an attacker wants to lock out a user account by sending authentication requests with wrong passwords. In this case, although the user account will be locked out by AD FS for extranet access, the actual user account in AD isn't locked out and the user can still access corporate resources within the organization. This is known as a soft lockout.

    You can configure this feature in ADFS by following below article,

    https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection#how-it-works

    https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection

    Let me know if you have any further questions on this.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments