Continued AD lockouts via OWA even after disabling OWA access

[Bill Dedi]

We are having issues with our C-Levels where people are constantly trying to login via Outlook Web Access. I’ve disabled access for the users but they continue to get locked out. After doing some testing, if OWA is disabled for an account, if the right password is entered the page says ‘denied access’. But if I put in the wrong password multiple times, five for our environment, the account locks out.

I’ve been beating my head on this for over two weeks. No amount of ‘google’ helps. Any suggestions?

[Joseph Moody]

What is your Azure Sign-in risk policy set to? It sounds like it is set to block user when MFA is not available.

https://portal.azure.com/#blade/Microsoft_AAD_IAM/IdentityProtectionMenuBlade/SignInPolicy

[Bill Dedi]

We haven’t transitioned to strictly Azure logins. Currently mixed. I know if they use office.microsoft.com or whatever it is, they lock the account there and it doesn’t lock the AD account. Sadly management isn’t ready to push that change out.

[Elalamein]

I think that you need a SIEM to resolve your problem…

You need to block the IP before it can lockouts the user, perhaps by inserting a firewalling rule.

[Author]

Posts