none
Can't seem to get conditional access by country to work... RRS feed

  • Question

  • i've set it up, seems ok but no filtering is made.

    other rules works.

    here is the "Named Locations":

    and here is the full rule configuration:

    any ideas why it won't work?

    Tuesday, May 21, 2019 6:38 AM

Answers

  • Hello Benny,

    CA policies are actually applied after the user credentials are validated, just before issuing the token. So brute force attempts will not be blocked using conditional access policy and you will see failed sign-in attempts in the logs. With this policy, even if the hacker from the blocked countries gets access to the valid credentials, they will not receive a token and will be blocked. 

     To prevent brute force attacks, enabling Azure AD smart lockout and MFA are the recommended options. Hope this clarifies.

    • Marked as answer by Benny Barak Tuesday, May 21, 2019 8:48 AM
    Tuesday, May 21, 2019 8:17 AM
    Moderator

All replies

  • Hello Benny,

    The configuration looks good. How are you testing this rule ? are you trying to sign-in using a VPN ?

    Can you use the What If tool available to test by providing IP addresses of the countries you blocked and test it once ?

    Tuesday, May 21, 2019 7:00 AM
    Moderator
  • Hey Manoj,

    thanks for replying.

    yes, the "whatif" tool works and say's that the policy will apply.

    it is being tested live, since i have multiple brute force attempts from that country.

    however, it does not apply the rule.

    Tuesday, May 21, 2019 7:10 AM
  • Hello Benny,

    CA policies are actually applied after the user credentials are validated, just before issuing the token. So brute force attempts will not be blocked using conditional access policy and you will see failed sign-in attempts in the logs. With this policy, even if the hacker from the blocked countries gets access to the valid credentials, they will not receive a token and will be blocked. 

     To prevent brute force attacks, enabling Azure AD smart lockout and MFA are the recommended options. Hope this clarifies.

    • Marked as answer by Benny Barak Tuesday, May 21, 2019 8:48 AM
    Tuesday, May 21, 2019 8:17 AM
    Moderator
  • thank you.

    that's actually smart for detecting users at risk when correct credentials are used.

    marked as answer :)

    Tuesday, May 21, 2019 8:49 AM