Conditional access validated prior to password
Today, authentication validated the password before hitting the conditional access, therefore allow for password sprays to lock the accounts.
Office 365 and Azure logins should take the password (as we do today), proceed with conditional access, even if the password is wrong, allowing conditional access to block password sprays. Then if the password is incorrect, deny the access or send for approval in the azure app or request the token, whatever is the preferred choice for MFA.
Hope I was clear...
Kevin McCormick commented
We just started getting user lockouts from password spraying. I thought we'd be able to fix them by blocking a few problem countries, but no, they still cause lockouts even though they're now blocked by policy.
Matias Osca commented
I'm facing the same problem and this would help a lot. Two scenarios:
- users with MFA enabled should't be blocked before passing the 2 factors, (not showing invalid password before asking for MFA
- conditional access blocking identification before authentication.
I agree with Julio: tweeking it a bit in the event of user-specific conditional access
Enter User Name and Password -> Validate credentials and MFA (but no user response) -> check conditional access but (Do not increment bad password counter if conditional access fails) -> Access Granted/Denied.
Julio Lima commented
Meaning, Conditional Access is done prior to confirming the password, then the password is verified and MFA is triggered.
Enter User Name and Password -> Conditional Access Checked (regardless if credentials are valid) -> Validates credentials -> Triggers MFA -> Access Granted/Denied