Is there an option to disable international logins in O365?

thecomputerguy

thecomputerguy

Well-Known Member
Reaction score
1,414
Some of clients have several or hundreds of attempts to login to the account using single factor auth from foreign countries. They are all unsuccessful because of 2fa but is there a way to just decline all overseas logins? Maybe also to disable logins from New York/Ashburn Virginia which are common VPN points for compromises?

I'm in CA so a login outside of CA is extremely EXTREMELY rare.
 
Markverhyden said:
What's the motivation? Are they tired of getting notifications?

learn.microsoft.com

Conditional Access - Block access by location - Microsoft Entra ID

Create a custom Conditional Access policy to block access to resources by IP location.
learn.microsoft.com

But I think the above does not include the consumer versions of M365.
Click to expand...
Main thing is it just makes me uncomfortable when I look at azure logs and see so many attempted logins. The clients don't know about any of this but I figured international auto denial should be simple but I can't find it.

Last week I somehow had a client who was breached with MFA enabled via authenticator and had no idea how that can happen aside some sheer stupidity of the user so I thought I'd ask if there's a way to auto block anything outside of CA so there aren't even attempted logins from SCHEANGJO CHINA
 
thecomputerguy said:
Main thing is it just makes me uncomfortable when I look at azure logs and see so many attempted logins.
Click to expand...

But that aspect of things is not going to change. And it's completely unsurprising to me that there are many, many login attempts. If they don't succeed, they're background noise unless a pattern emerges that suggests targeting.
 
thecomputerguy said:
Last week I somehow had a client who was breached with MFA enabled via authenticator
Click to expand...
Easy. If it is set to just push a notification then plenty of stupid users will just blind push approve. You want passwordsless login enabled. There you have to punch in the displayed code. If the prompt just comes up they have no code displayed and that stops the attempts.
 
Yup conditional access, named locations. I use the inverse of that to ease the nagginess of MFA at clients offices....whitelisting their offices WAN IP address for MFA.

You'll need licensing that supports Conditional Access....so those entry level licenses like Std don't support this and many other important features.
 
thecomputerguy said:
Main thing is it just makes me uncomfortable when I look at azure logs and see so many attempted logins. The clients don't know about any of this but I figured international auto denial should be simple but I can't find it.

Last week I somehow had a client who was breached with MFA enabled via authenticator and had no idea how that can happen aside some sheer stupidity of the user so I thought I'd ask if there's a way to auto block anything outside of CA so there aren't even attempted logins from SCHEANGJO CHINA
Click to expand...
When I first started self hosting I used to get all worked up with all the knocking on the door on the servers. There'd be some who'd be knocking 1000's of times a day. Used to do a reverse lookup to find who owned the IP, sent emails to abuve@fqdn but never heard back. After a few months and doing some research just decided it ain't broke so don't fixit.
 
Markverhyden said:
When I first started self hosting I used to get all worked up with all the knocking on the door on the servers. There'd be some who'd be knocking 1000's of times a day. Used to do a reverse lookup to find who owned the IP, sent emails to abuve@fqdn but never heard back. After a few months and doing some research just decided it ain't broke so don't fixit.
Click to expand...
This you can't stop it. So long as the end user isn't getting an authentication prompt on their phone I wouldn't worry about it. I was getting such prompts on my account a few weeks back and I had to block some overseas IP addresses that were the source. Fortunately, I have passwordless login enabled so all I see are prompts to input a 2 digit code. As I don't see a code on any of my machines it isn't possible for me to just hit accept and let a bad guy in.
 
Markverhyden said:
When I first started self hosting I used to get all worked up with all the knocking on the door on the servers. There'd be some who'd be knocking 1000's of times a day. Used to do a reverse lookup to find who owned the IP, sent emails to abuve@fqdn but never heard back. After a few months and doing some research just decided it ain't broke so don't fixit.
Click to expand...
Pretty frightening at first when you see "logs" from external facing services. I remember my first eye opener with firewalls, really granular and detailed firewalls, such as Microsofts ISA ...back when I was playing with it to learn it in the early Action Pack days. It was bundled with Small Business Server 2000/2003 Premium. Basically their improved "proxy server". Or if you crank up the logging of some *nix router distros. There's a lot of "noise".
 
YeOldeStonecat said:
Or if you crank up the logging of some *nix router distros. There's a lot of "noise"
Click to expand...

Essentially, there are "normal errors" or "normal warnings" if logging granularity is very fine, regardless of context.

If you look at Windows logs on a perfectly functioning system, not knowing that, you'd swear it was ready to fall apart at any moment.
 
britechguy said:
Essentially, there are "normal errors" or "normal warnings" if logging granularity is very fine, regardless of context.

If you look at Windows logs on a perfectly functioning system, not knowing that, you'd swear it was ready to fall apart at any moment.
Click to expand...

I recall vividly a lot of clear labels of certain exploit tools and other attacks and probes. Microsoft's ISA server was quite robust....it would clearly stamp each attack with the proper explanation of details.
 
You must log in or register to reply here.

Similar threads

HCHTech
Interpreting "Risky Users" in Microsoft Entra admin center
2
Replies
31
Views
3K
britechguy
britechguy
Back
Top