Accounts getting locked out

Question

We have an on-premise Active Directory that is synced with Azure AD via Azure AD Sync. We have conditional access policies setup to prevent anyone outside of the United States from being able to access the system.

We've come across a problem where staff are getting locked out of their accounts because of multiple failed attempts to login to their accounts with a bad password. These attempts are coming from outside the United States and conditional access is not being checked. In our testing, it appears that conditional access is only checked after a SUCCESSFUL login attempt.

Is there a way to prevent login attempts entirely if coming from outside of the United States? Or is there a way to prevent staff from being constantly locked out without allowing the bad actors unlimited attempts onto their account?

Answer 1

Hi @Andrew Acuna ,

Geo-IP blocking is probably the best way to do this. To block specific countries you can set up custom rules and security policies, and then restrict the access to your web applications by country or region. To create a geo-filtering custom rule, select "Geo-location" as the Match Type, and then select the country you want to allow/block from your application.

(See Geomatch Custom Rules and Front Door Geo Filtering.)

As you correctly noted, conditional access for MFA only blocks second-factor authentication and does not block first-factor authentication.

Another option that will give you part of what you need is to use Identity Protection to watch accounts for abnormal behavior. It doesn't exclude IPs of specific countries but does catch and block suspicious login attempts. https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection