Feedback by UserVoice

How can we improve the tenant admin features O365?

Block logins from other countries

It would improve security if we can restrict O365 logins to a specific geographic region. Or exclude specific countries if we identify major hacking attempts from those countries.

2,980 votes
Vote
Sign in
(thinking…)
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
Gerard shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

161 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Wayne Singh commented  ·   ·  Flag as inappropriate

    I use Conditional Access via Azure, however i agree with everyone that this should be a base function available to all.

  • Stev commented  ·   ·  Flag as inappropriate

    I find it crazy that when on prem I have 100% control via my firewalls to block this type of access.

    Now throw in 365, & now ANY blocks for Geo I have established on my FW's are moot, since any logins from foreign countries appears as USA/Azure/MS servers.

    thier solution? another expensive license in order to get conditional access on the Azure P1. I find this crazy , why do I have to pay extra for a very basic security control.

  • Jim Lloyd commented  ·   ·  Flag as inappropriate

    Add me to this list... Geo-Locking should be default in all Office 365 offerings. It is right up there with passwords longer than 16 characters.

  • Steve L commented  ·   ·  Flag as inappropriate

    Conditional access also doesn't do anything about a POP client sitting there brute forcing your tenant account all day and night.

  • Steve L commented  ·   ·  Flag as inappropriate

    Azure Conditional Access doesn't prevent the login attempt. The login still happens, then it blocks access to the cloud apps based on your location rule. So the attacker can still figure out if they have a live account and valid password combo.

    You can configure an account lockout but when they are hitting accounts hundreds of times a day, your job duties are going to be pretty much unlocking accounts 24/7

    It would be good if we could block the login attempt itself geographically. This would help keep brute force / password spray attacks from compromising accounts. We have no students in China or Turkey. :-\ Yes we can also turn off legacy authentication, but c'mon.

  • John Bishop commented  ·   ·  Flag as inappropriate

    You gotta love some of these comments, Azure already does this, if you're changing user passwords 35 times a day, you need to enable MFA, you're doing it wrong.

  • Anonymous commented  ·   ·  Flag as inappropriate

    We have bad actors that make multiple attempts daily to break into our tenant. We need the ability to restrict logins/connection to USA locations only!

  • Jonathan Mergy commented  ·   ·  Flag as inappropriate

    We've done all we can with the existing O365 tools but I really need the ability to inhibit any authentication actions by country, IP range, etc. I have servers in China just pegging specific accounts and it's crazy I can't just cut them off.

  • Roel commented  ·   ·  Flag as inappropriate

    Accounts keep getting locked because of hacking attempts from China (MFA prevents any successful attempts, but my account is locked continuously because China tries to login a 1000 times per day).

  • Tom Coglianese commented  ·   ·  Flag as inappropriate

    We desperately need this! Small and medium sized municipalities simply don't have the additional budget for the incremental license upgrades and honestly we had much better control before moving these services off prem!

  • Dennis commented  ·   ·  Flag as inappropriate

    Consider putting your ADFS external portal behind a cloud web application firewall. Then whitelist your firewall.

    Then in your firewall, geoblock locations.

    I have setup Imperva Incapusla, but there are options. Always test first, so consider spinning up a second, identically configured adfs deployment and test.

  • Ibrahim commented  ·   ·  Flag as inappropriate

    Why is this basic security feature not included in all versions of Azure AD? We are already spending a hefty amount with Microsoft's cloud services, this is a must include in all Azure AD levels.

← Previous 1 3 4 5 8 9

Feedback and Knowledge Base