Office 365: block external authentifications requests from specific IP

Hi Tonique,

Thank you for the post. As far as I know, Azure Active Directory (Azure AD) provides conditional access feature to help manage access issue. You can create custom conditional access policies in Azure Active Directory Admin Center. For your reference, see What is conditional access in Azure Active Directory. Kindly note that conditional access feature requires Azure AD Premium license.

Regards,

Marvin

Hi Marvin,

The conditional access feature is useless in this case because it works after entering credentials.

I need a solution which might block sign-ins from specific ip (adfs or additional vm is not an option), something like firewall rule.

Regards

Hi Tonique,

Based on my knowledge, except for Active Directory Federation Services (ADFS) and conditional access, I cannot find the other way to block access from specific IP addresses. 

On the other hand, from Wikipedia, "a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly." However, it's hard to make sure which IP address is trying to attack and then block it. In this case, I suggest you enable Multi-Factor Authentication (MFA) in your organization. In cloud-only environment, users will require the second authentication (text or phone call) after enabling MFA. Meanwhile, you can create App Password for Office 365 instead of using the real password. It's much easier to guarantee the security requirements in Office 365 pure cloud environment. 

Regards,

Marvin

Hi Marvin, thanks for reply,

All of this features (mfa, conditional access etc.) work post-authentication, so they cannot protect cloud-based users from brute-force attacks. And I think that's a big unresolved security problem in o365 which potentially cause to lose of users data. Correct me if I'm wrong :) 

Also I think there should be the possibility to block pre-authentication requests from specific ip\region\country for individual cloud-based tenant.

P.s. I already have an ip addresses list of brute force attackers (it's in o365 logs) so I don't need to guess I need to block them but that's impossible at this time.

Regards.

Hi Tonique,

As far as I know, the brute-force attacks take up large volume of resource and time to make the every possible attempts. For a eight-digit password including numbers, uppercase/lowercase letters and characters, it will take billions of attempts. 

But in Office 365 and Azure AD by default, one user can make 10 unsuccessful sign-in attempts with the wrong password. After that, the account will be locked for one minute. And further incorrect attempts will lock out the user for increasing durations of time. For your reference, see Azure Active Directory smart lockout.

Besides, even if the attacker make the right attempt in password, they still cannot access the resource of this account because the text including the access code (or the phone call) will be sent to your own phone before you sign in. So it's not necessary to worry about the brute-force attacks.

Regards,

Marvin

Hi,

So we additionally have annoying periodical accounts lockouts, in case of attacks, which are impossible to prevent (without pre-authentication blocking).

In other hand frequent lockouts make additional challenges to tech support and users dissatisfaction.

Also, in case of the attacker's right attempt in password, even if he didn't get the access to resources he still got a password, and that is a security threat. And there are no tools in o365 to prevent lose of passwords in case of brute force attacks.

P.S: smart lockout is another post-authentication feature, which is also useless against brute-force (passwords lose).

Regards.

Hi Tonique,

As much as I'd love to help, to my knowledge, it's infeasible for Office 365 to block IP address before someone tries to enter the credentials and sign in Office 365. You can try to suggest the feature in Office 365 UserVoice website. The development team may consider it if your suggestion gets enough volume to votes. And many features come out in this way. Your time and understanding are highly appreciated.

Regards,

Marvin

Hi Marvin,

Thanks for reply.