Is there any additional protections on top of Security Defaults we should have in place to protect from persistent overseas login attempts

Question

Is there any additional protections on top of Security Defaults we should have in place to protect from persistent overseas login attempts

Bevan Calliess 20

We're a small not-for-profit using Microsoft 365 with Security Defaults enabled, so all our users have MFA configured. However, we're seeing a consistent volume of failed login attempts from international IPs—none successful, but still concerning.

Example entries in the sign-in logs include error codes 50053 and 50126, originating from countries such as Vietnam, Ecuador, and Iraq.

As a not-for-profit, we unfortunately don't have the budget for a security expert and have limited in-house security expertise, which is why Security Defaults seemed like the best fit. From what I’ve read, tactics like location blocking, IP restrictions, or high-risk sign-in policies appear to require either turning off Security Defaults to implement Conditional Access (which feels risky given our expertise) or upgrading beyond our current Entra ID Premium P1 licensing.

Are there any additional steps we can take—without turning off Security Defaults—to further protect our accounts or reduce the volume of these login attempts? Or are these kinds of attempts simply part of the landscape we have to live with these days?

We’d really appreciate any insights or suggestions from the community.

Accepted answer

1 additional answer

Your answer

Answer 1

Hello Bevan Calliess,

The AADSTS50126 error is triggered when a user enters an incorrect password during sign-in.

The AADSTS50053 error occurs when a user repeatedly enters an incorrect password, often originating from countries such as Vietnam, Ecuador, and Iraq, as you described. Due to multiple failed sign-in attempts, the account is flagged as risky, and the user is subsequently blocked.

You can find more information about this error here: Microsoft Entra authentication and authorization error codes.

User's image For more details, please refer to the document on Protect user accounts from attacks with Microsoft Entra smart lockout

User's image

Using Conditional Access policies instead of Security Defaults provides more flexibility in securing user sign-ins from unmanaged devices or unfamiliar locations.

Security Defaults only enforce MFA at the time of application sign-ins and offer limited control. In contrast, Conditional Access policies provide more advanced options to secure your tenant—such as blocking sign-ins from specific locations using location-based policies.

Security Defaults, Per-user MFA, and Conditional Access policies each offer different levels of security. You can choose the most suitable option based on your organization’s security requirements.

Security Defaults enforce MFA at sign-in for all users but offer limited customization. They do not require Premium P1 or P2 licenses, but you cannot exclude specific users or tailor conditions.
Per-user MFA allows you to enable MFA on a per-user basis. However, it does not support exclusions based on applications or conditions.
Conditional Access policies provide granular control and allow targeting specific users, apps, device platforms, and sign-in conditions. This is the most flexible and secure option for managing access. Requires Premium P1 License at least.

For more information, please refer to the following resources on:

Blocking sign-ins based on location

Configuring risk-based policies

device-based Conditional Access policy

Bevan Calliess 20 Reputation points

2025-06-24T01:23:48.5633333+00:00

Thanks for taking the time to reply, Raja—your response is much appreciated.

As mentioned, I'm aware of the key differences between Security Defaults and Conditional Access, including how Conditional Access offers significantly more control and flexibility. However, our concern lies in the complexity of those controls. Without the right level of expertise, a misconfiguration could potentially leave us more exposed than we are under Security Defaults.

We’re the kind of organization Microsoft had in mind when they introduced Security Defaults: a small not-for-profit with limited resources and no in-house security specialist, but still in need of strong baseline protection.

That’s why my original question was asking what we can do to further strengthen our security while keeping Security Defaults enabled, We're simply asking if there are any other practical, low-risk measures we should take to enhance our choice of Security Defaults.
Raja Pothuraju 24,385 Reputation points Microsoft External Staff Moderator

2025-06-25T19:15:52.4+00:00

Hello Bevan Calliess,

Let's have an offline discussion on this to figure out what is best for your organization. Please share your email address and available time over private message.
Bevan Calliess 20 Reputation points

2025-07-03T02:26:48.3733333+00:00

I think it has become clear from the answers on this thread and other research that Security Defaults provide a fixed set of protections that are adequate for small orgs like mine but has limited room for additional protections. For additional protection the only option seems to be to move to Conditional Access and implementing tailored policies.
Thank you to the people that replied.

Answer 2

Vasil Michev 119.9K MVP Volunteer Moderator

Well, the reality is that cloud services are opened to such attacks by definition, as access is available from anywhere, at any time. Conditional access and similar features can indeed help, but they act after the initial authentication, so they cannot block credential compromise. In that sense, seeing error codes 50053 and 50126 in your logs is not unusual or unexpected.

The best line of defense is to switch to passwordless, if possible. Other than that, make sure your users have a strong password configured AND an additional MFA factor, such as Microsoft Authenticator. By leveraging CA (or per-user MFA) you can optionally enforce MFA to be used at every login and a plethora of other conditions/controls, but at the end of the day the only real solution to such "brute force" attempts is to move away from using passwords... which is not fully possible in M365, currently.

Bevan Calliess 20 Reputation points

2025-06-20T08:20:37.14+00:00

Thanks for taking the time to respond Vasil,

As mentioned we are trying to avoid using Conditional Access(CA) as that requires us to turn off Security Defaults and with limited experience in the security area I feel Security Defaults offers us better protection than having to manage all aspects via CA. From what I understand the option for Per User MFA would also require turning of Security defaults and implementing CA.

Share via

Is there any additional protections on top of Security Defaults we should have in place to protect from persistent overseas login attempts

1 additional answer

Your answer