I've been keeping an eye on the sign-in logs for Microsoft ENTRA, and I noticed a ton of login attempts that look like password spraying, especially targeting applications like Microsoft Office, Azure CLI, and PowerShell. My concern is that these attempts don't seem to trigger any Conditional Access policies. Am I missing something here?
3 Answers
Conditional Access is made up of various policies. For example, you might have a policy that only allows logins from specific locations. Check what policies you have in place. If you've got a policy for all users stating they can only log in from certain places, that's what you'd be expecting to see reflected in the logs.
Just so you know, Conditional Access policies don't kick in for failed login attempts. At that point, the attempt is treated as anonymous, so Microsoft can’t apply any specific policies. You should really be looking for successful login attempts to see if those policies are applied or not.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures