We're in the middle of migrating our users and mailboxes to M365, and we've been utilizing Azure AD Connect for the sync. Recently, we enabled password writeback, but now several users are experiencing frequent lockouts. It seems like someone (or potentially bots) is conducting password spraying, successfully guessing usernames and trying to log into services that we don't even use.
I've discussed this issue with our managed service provider (MSP), and they mentioned that conditional access policies only apply after a login attempt is made, which doesn't help prevent these lockouts. This seems concerning; isn't there a way to stop unauthorized attempts from happening in the first place? For example, is it possible to restrict access to our org's IP range and our Zscaler IP block? I want to ensure that any measures I take won't disrupt our production environment. Any insights would be appreciated!
2 Answers
Definitely look at your lockout count set in AD. If it’s lower than 10, it might be too strict, as regular user activity can lead to lockouts. However, if you’re facing issues from external attacks rather than legitimate users, increasing it won’t solve the problem. You need a proactive strategy against these bots trying to access accounts and causing these issues.
Your MSP is correct! Conditional access kicks in after a login attempt, making it tricky to manage these lockouts. We don't use password writeback either because of this issue. One approach to consider is lowering the lockout threshold in Azure compared to on-prem AD, but I’m not sure if that works with writeback enabled. We also restrict our tenant to our private IPs, but unfortunately, it doesn’t fully stop password sprays. You might want to take this into account when crafting your strategy.
I've heard that disabling password writeback can help too, but it depends on how your legacy apps interact with passwords. Keep pressing your MSP for clarity on that!
Totally get that. Increasing it seems like a temporary fix. Focusing on blocking these attempts entirely should be a priority!