Azure Active Directory Conditional Access has functionality for “Countries/Regions” – see https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
That said, the most effective protection you can have against password spray attacks is to enable MFA and disable basic authentication. If you cannot do this for your entire organization, then blocking user access to legacy protocols like POP, EWS, IMAP and SMTP is another step you can take. Exchange Online Client Access Rules can help you to further customize (https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules). For additional recommendations, please see Office 365 Secure Score.
That said, please know that we are listening to feedback and working on solutions to help make Office 365 users more secure. Thank you for the feedback.
An error occurred while saving the commentsam commented
We are a small organisation (100 users) with little finance and we operate across a variety of host networks, with or without VPNs, ie Users appear across a wide range of IP addresses outside of my control. I have enforced MFA and CA, but I am not able to create a CA policy for Named Locations within my subscription. This is leading to increasingly disgruntled Users from constant MFA requests and I may be shortly forced to reduce our security, despite having recently suffered from an SMTP auth attack.
System Availability is as important as Confidentiality and Integrity, so surely if a feature is included in my subscription (MFA and baseline CA), so should the ability to configure it. Otherwise, its pointless!
Thanks for sharing this with us. The team is looking at how to improve the O365 homepage. These are helpful details. Others should please comment with specifics as well if they have ideas on customization improvements. – Jay Waltmunson (O365 Program Manager)
We are trying to fit this feature in with our current plans. We’ll get back to you shortly.
This is really good feedback. We are working on adding MDM functionality. Please email us at firstname.lastname@example.org to tell us more about what you’d like to see.
We are finalizing our plan for the initial reports functionality in the mobile app.