When they initially onboarded, there was no filtering or security in any form:
Running a simple audit against Azure AD>Sign-ins showed the extent, even more when you export a CSV.
2000+ failed attempts within 24 hours:
Step 1) Sort or filter the CSV to find common trends (specific user account/IP/Country:
In this case, the client doesn’t have staff in China, nor should anyone be accessing from there
Step 2) Create a Blacklist – AzureAD>Conditional Access.
- Create a Named location – in this case I named it ‘Blacklist’
- Add any IPs to the blacklist
- Create a policy – Name accordingly
- Filter by a test account if appropriate, same for specific apps (don’t filter all apps if the admin account is included!! This can lock you out of the portal if you make a mistake!)
- Set the blacklist location
- Block the blacklist (or if you’re creating a whitelist, just allow instead of reject)
- Enable the policy, then click the ‘What If’ button and test
Make sure it works as intended!