![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 80%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Use Microsoft Entra’s built-in protections plus Conditional Access to tightly control where that user can sign in and to automatically mitigate the attack.
- Harden sign-in for that user
- Ensure strong authentication (MFA) is required for the user so that even if the password is known, sign-in fails at MFA.
- Consider using Microsoft Entra ID Protection to block sign-ins when user or sign-in risk is high (for example, “block users if risk = high”). This helps automatically mitigate suspected account compromise.
- Restrict sign-in location with Conditional Access
- Create a Conditional Access policy targeting that specific user.
- Define a named location for the office public IP range.
- Configure the policy so that:
- Grant access only when the sign-in originates from the trusted office IP (named location), and
- Block access from all other locations.
- For privileged or sensitive accounts, this is explicitly recommended: apply stricter conditions such as “only from trusted IP addresses.”
- Rely on Smart lockout and Entra protections
- Smart lockout is always on and will automatically lock the account after repeated failed attempts (default 10 failed attempts for Azure Public tenants, 3 for Azure US Government tenants). This slows down brute-force and password-spray attacks while allowing legitimate users from familiar locations to continue working.
- Smart lockout differentiates between familiar and unfamiliar locations and maintains separate lockout counters, helping protect against global attack traffic while minimizing impact on normal use.
- Microsoft Entra ID also analyzes IP and anomalous behavior and can block malicious sign-ins by default, returning error AADSTS50053 when sign-ins are blocked regardless of password validity.
- Monitor and tune
- Continue to monitor Sign-in logs for that user for:
- Many failed authentications from multiple IPs (possible password spray or brute force).
- “Interrupted” sign-ins with Conditional Access failures, which can indicate that the password is correct but MFA is not being completed (possible compromised password, attacker blocked at MFA).
- Review whether the Conditional Access and risk policies are too aggressive or too permissive, and adjust to reduce noise while maintaining strong protection.
- Continue to monitor Sign-in logs for that user for:
This combination—Conditional Access restricted to office IP, enforced MFA, ID Protection risk-based blocking, and Smart lockout—provides the most effective way to stop excess login attempts from around the world for that specific user while keeping legitimate office access working.
References: