Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,217 questions
Prevent a user from trigerring the same cloud app policy multiple times
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 24%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJV%3C/text%3E%3C/svg%3E)
Jean Valjean 999
0
Reputation points
Hello,
I have a policy that triggers when a user fails to connect 100 times in 60 minutes. The main use of this policy is to notify our security team when a user is likely to be under attack so that they can contact the user to establish a strong password and enable the MFA. The issue however is that the same user can trigger this policy multiple times. This means that we get a lot of redundant alerts regarding the same user.
Is it possible to make it so once a user triggered the policy, they can't trigger it again for a certain amount of time ?
Best regards.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 8%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
B santhiswaroop naik 385 Reputation points2023-07-04T18:26:05.77+00:00 Yes, it is possible to configure a policy to prevent a user from triggering it again for a certain amount of time after it has been triggered. This can help reduce redundant alerts for the same user.
In Azure Active Directory (Azure AD), you can achieve this by using a combination of Azure AD Identity Protection and Azure AD Conditional Access policies. Here's a general approach to implement this:
Enable Azure AD Identity Protection: Azure AD Identity Protection provides advanced threat detection and risk-based policies. It can help identify risky sign-in behavior and trigger automated responses.
Create a Sign-in Risk policy: In Azure AD Identity Protection, create a Sign-in Risk policy that evaluates the risk level of user sign-ins. You can configure the policy to trigger based on the number of failed sign-in attempts within a specified time frame.
Configure a Conditional Access policy: Create a Conditional Access policy that targets the user or user group you want to apply the restriction to. In the policy, include a "Sign-in Risk" condition and set the policy to require multi-factor authentication (MFA) or block access for risky sign-ins.
Set a Custom Control: When configuring the Conditional Access policy, you can set a Custom Control that defines the behavior when the policy is triggered. You can specify a "Quiet period" or "Break glass" period during which the policy will not trigger again for the same user. This helps prevent repeated alerts for the same user within a specified timeframe.
By configuring a combination of Azure AD Identity Protection policies and Conditional Access policies, you can enforce security measures such as MFA or access blocking for users who trigger the defined policy conditions. The "Quiet period" or "Break glass" period helps ensure that the policy does not repeatedly trigger for the same user within a specific timeframe, reducing redundant alerts.
Sign in to comment