Block logins from other countries
It would improve security if we can restrict O365 logins to a specific geographic region. Or exclude specific countries if we identify major hacking attempts from those countries.
Azure Active Directory Conditional Access has functionality for “Countries/Regions” – see https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
That said, the most effective protection you can have against password spray attacks is to enable MFA and disable basic authentication. If you cannot do this for your entire organization, then blocking user access to legacy protocols like POP, EWS, IMAP and SMTP is another step you can take. Exchange Online Client Access Rules can help you to further customize (https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules). For additional recommendations, please see Office 365 Secure Score.
That said, please know that we are listening to feedback and working on solutions to help make Office 365 users more secure. Thank you for the feedback.
Ben Bazian commented
Blocking IP access and regional access should be a basic option. Should not have to pay an arm and a leg to protect my accounts.
It does fall under Azure Condition Access policies, but is a costly addon I believe.
Doesn't this option fall under Azure Condition Access policies?
You can restrict access by Device, Application, Network location.
Simply setup preferred locations or IP addresses and then create a policy that includes all users in the company and add the preferred location on it. Login attempts that are from other IPs or Countries specified by you will be blocked automatically.
NOTE: You will need a license for this.
Can we please, block access by region / country? I am tired of resetting user passwords and reporting it to the FBI...
For the love of god, please make office 365 more secure. I have to reset 3-5 users per week that get their accounts hacked. Does microsoft even care anymore??
Kevin Kinneer commented
I was just looking at our security training presentation. We have a blurb that mentions "Your O365 account can be accessed from anywhere in the world" and suddenly I'm thinking "Wait that's ridiculous." This absolutely should be a base feature.
Scott Carlow commented
This should absolutely be considered a basic security setting. Conditional Access policies, and the licensing that ability comes with, shouldn't be necessary to outright deny auth attempts from certain geographical regions.
Martin Kidd commented
Totally agree. This should be available for all tenants.
Bob Wilkerson commented
We can't keep up with the brute force attacks from other countries. We have the Extranet Lockout Policies set but it does not seem to make much of a difference. I can identify countries by the logs but cannot do anything about them
Should not be a premium feature! MFA is not practical for us.
Luc L. commented
ASAP Please. To help with the internal lockouts, you can enableExtranetLockout on your ADFS setup.
Did we try using smart lockout functionality? For federated domains it is available for Windows Server 2016 and by default enabled for Password Hash synced users.
Please add as soon as you can. This is getting to be nuts. I am dealing with brute force attacks every day.
Jason Moyer commented
+1 A customer is dealing with 80 plus lockouts a day because of brute force attacks from foreign countries they don't do any business with...This is the biggest issue for their help desk... Please add this option.
Joseph Tullis commented
Concur. Our small business is also not going to pay for a premium Azure license after having paid for Office 365. This should be enabled by default and then we have to enable sign ins from other countries if anyone is going to travel abroad. Please fix this Microsoft.
Our company isn't willing to pay £12000 a year for an Azure Premium licence. This functionality should be a system default.
It would be nice to have the option to restrict access to office 385 based on location, country, or IP
Bala Sankar commented
This feature must be enabled on O365 tenants
Kevin Luke commented
Almost daily I come into work and my account is locked due to having ADSync setup. I have removed admin rights from my account in reaction to this. It's unbelievable that we cannot restrict login attempts from other countries. Get it together Microsoft!
Ashley Hurst commented
We've had a number of our 365 clients passwords being hacked from sources originating form Korea over the last 2 weeks. Microsofts default passwords it give out (AAA55555) are usually hacked within a night.
While we try and convince out customers to use more secure passwords, it would greatly improve the security of these email addresses if we just block IP from these countries if the business does not have any workers from this country.
I can see there is already an option to block incoming spam by country, so why not this?