Apply Conditional Access blocks before authentication
Conditional Access policies that completely block access should be applied before allowing the user to attempt authentication, because otherwise an attacker can still crack a user's password (e.g. using a botnet) even though Conditional Access prevents them from actually using the account. This cracked password can then be used to access the account under different circumstances in which Conditional Access allows access.
YES YES YES! This is what I am looking for. It makes zero sense to apply a location based policy after an attacker has verified correct compromised credentials and then and only then be told "Hey, you have the correct creds but you are in a location where you are not allowed to login." Any attacker worth their weight in gold can simply use a tool like TOR to find a location where the restriction is not implemented and continue to attack the compromised account. This seems like an obvious policy to have in place to me. We do use MFA but that does not prevent an attacker from verifying that they have the correct stolen creds in their possession if they are attacking from a "not allowed" location. Not a failsafe for sure, but again, seems like an obvious policy that should be in place. As another user has commented below, this also has the effect of locking legit users out when an attacker keeps attacking their account from a foreign location. lets just eliminate that as a possibility. PLEASE. This cant be that difficult to implement.
Its actually a worse infrastructure design that attackers can lock out company accounts from untrusted devices or locations because CAs don’t validate first!!!!!
Pirmin Felber commented
Applying some blocking policies (especially regarding Client Apps / Locations) would be useful for us as well.