When they initially onboarded, there was no filtering or security in any form:

Running a simple audit against Azure AD>Sign-ins showed the extent, even more when you export a CSV.
2000+ failed attempts within 24 hours:

Step 1) Sort or filter the CSV to find common trends (specific user account/IP/Country:
In this case, the client doesn’t have staff in China, nor should anyone be accessing from there

Step 2) Create a Blacklist – AzureAD>Conditional Access.
- Create a Named location – in this case I named it ‘Blacklist’

- Add any IPs to the blacklist

- Create a policy – Name accordingly

- Filter by a test account if appropriate, same for specific apps (don’t filter all apps if the admin account is included!! This can lock you out of the portal if you make a mistake!)


- Set the blacklist location

- Block the blacklist (or if you’re creating a whitelist, just allow instead of reject)

- Enable the policy, then click the ‘What If’ button and test


Make sure it works as intended!
End result:

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]