Share via

What is the best way to stop excess login attempts for 1 of our users?

Scott Turner 0 Reputation points
2026-04-07T15:50:37.96+00:00

I was looking at some Sign-In logs and found a user with excessive login attempts from all over the world. I am thinking of that I need to set a policy that allows login for him from the office IP address only. His system has had no issues with login and authentication.

Thank for your time

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 126K Reputation points MVP Volunteer Moderator
    2026-04-07T16:58:30.0766667+00:00

    You cannot really prevent such "brute-force" attacks, at least not without creating additional inconveniences for the user. As Entra/M365 are globally available cloud services, anyone that knows the user ID/UPN can attempt to login. Changing the UPN to a new value can (at least temporary) alleviate the issue, but will force force the user to relogin at best, and might cause issues with some apps, at worst. Plus, it is no guarantee, as soon as the attacker gets the new UPN, the issue arises again.

    The best thing to do is make sure you've covered the basics - the user account (in fact ALL user accounts) should be protected by MFA and ideally using a phish-resistant auth method. Conditional access policies should be in place to restrict login attempts via less secure methods and from unknown locations (or unmanaged devices, if your organization uses an MDM solution). Keep in mind that none of these will prevent new login attempts though, they all act after the initial credential validation.

    Microsoft does have some protection in place to block such attempts, but as you can see, not everything is covered. Plus, you have no control over the settings for Smart lockout and such. It's just a fact of life with cloud services.

  2. Q&A Assist
    2026-04-07T15:50:50.04+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Use Microsoft Entra’s built-in protections plus Conditional Access to tightly control where that user can sign in and to automatically mitigate the attack.

    1. Harden sign-in for that user
      • Ensure strong authentication (MFA) is required for the user so that even if the password is known, sign-in fails at MFA.
      • Consider using Microsoft Entra ID Protection to block sign-ins when user or sign-in risk is high (for example, “block users if risk = high”). This helps automatically mitigate suspected account compromise.
    2. Restrict sign-in location with Conditional Access
      • Create a Conditional Access policy targeting that specific user.
      • Define a named location for the office public IP range.
      • Configure the policy so that:
        • Grant access only when the sign-in originates from the trusted office IP (named location), and
        • Block access from all other locations.
      • For privileged or sensitive accounts, this is explicitly recommended: apply stricter conditions such as “only from trusted IP addresses.”
    3. Rely on Smart lockout and Entra protections
      • Smart lockout is always on and will automatically lock the account after repeated failed attempts (default 10 failed attempts for Azure Public tenants, 3 for Azure US Government tenants). This slows down brute-force and password-spray attacks while allowing legitimate users from familiar locations to continue working.
      • Smart lockout differentiates between familiar and unfamiliar locations and maintains separate lockout counters, helping protect against global attack traffic while minimizing impact on normal use.
      • Microsoft Entra ID also analyzes IP and anomalous behavior and can block malicious sign-ins by default, returning error AADSTS50053 when sign-ins are blocked regardless of password validity.
    4. Monitor and tune
      • Continue to monitor Sign-in logs for that user for:
        • Many failed authentications from multiple IPs (possible password spray or brute force).
        • “Interrupted” sign-ins with Conditional Access failures, which can indicate that the password is correct but MFA is not being completed (possible compromised password, attacker blocked at MFA).
      • Review whether the Conditional Access and risk policies are too aggressive or too permissive, and adjust to reduce noise while maintaining strong protection.

    This combination—Conditional Access restricted to office IP, enforced MFA, ID Protection risk-based blocking, and Smart lockout—provides the most effective way to stop excess login attempts from around the world for that specific user while keeping legitimate office access working.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.