This has recently presented us with a challenge as we sold part of our business and want to separate permissions between two countries but are unable to do so.
Due to time zones and issues requiring resources on site, it would make sense for the Global admins to be able to delegation country specific administration rights to individuals that look after a certain country.
Azure Active Directory Conditional Access has functionality for “Countries/Regions” – see https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
That said, the most effective protection you can have against password spray attacks is to enable MFA and disable basic authentication. If you cannot do this for your entire organization, then blocking user access to legacy protocols like POP, EWS, IMAP and SMTP is another step you can take. Exchange Online Client Access Rules can help you to further customize (https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules). For additional recommendations, please see Office 365 Secure Score.
That said, please know that we are listening to feedback and working on solutions to help make Office 365 users more secure. Thank you for the feedback.
We are also seeing similar behaviour to below and would like to be able to control what countries can login to our tenant,
Agree. This has caused us operational issues, it was raised with MS and we told this was design as Office 365 groups were the new strategy.
However there will always be a place for DL's where people want the notification delivered to their own mailbox, take Infrastructure/system alerts that people see on their phones when not in office.
Very disappointed in how this has been introduced, MS ideas are great but the implementations of these new features are very poor and not thought through.... How more people has this caused issues for.
Imagine a user is a member of 4 DL's that means they would now have 5 mailboxes to view and check ... if they were office 365 groups.
This is something we are trying to achieve using the security and compliance centre and preservation policies, however there are severe limitations on using these currently. Cant set 7 years on a hold on sharepoint sites.
If a preservation policy is set, content/sites just cant be deleted, not the experience we want our users to see.(also not sure how that effects storage)
There is no easy flag like there is on Exchange so we can retrieve content.
We know that there is no good way of managing external users in the Admin Portal today and we are thinking about ways to solve this.
We hope to have this one addressed within the next month or two.
We have the same issue, raised with MS Premier support who advised currently this is working as designed. The NDR backscatter setting doesn't stop this as the emails are not classed as backscatter as they are notifications which are configurable.
As we can't put our spoofing transport rule before malware in the order of scanning, the only other options MS advised were to implement DKIM and dmarc, but I've seen mixed results on forums from implementing this so am holding fire for the moment.
36 votesPaul Garbett shared this idea ·