One thing to note is that SaaS Applications cannot prevent login attempts. If an email address is known, attempts to log in as that account may be tried. Currently, all applications that SaaS Alerts supports are unable to prevent login attempts, this is just the nature of cloud-based applications as they do not check the login attempt credentials until it is made, thus attempts are not actively prevented.
What if I employ a Conditional Access Policy?
Conditional access only takes effect after a successful login, it prevents access to resources the Microsoft account logging in would normally have, and it does not prevent the login attempt from occurring. To test, simply set a geolocation conditional access policy, use a VPN, set your location from anywhere that violates that policy, and then navigate to https://login.microsoftonline.com/, you will see that attempts are never blocked.
Additional Insight
Please note that some products monitored by SaaS Alerts may record events of unknown account names attempting to login to the SaaS Tenant domain. Where possible SaaS Alerts DOES record even these as events. The “unknown user” event when available can help inform Partner security teams is a Tenant domain is under increased surveillance or probing.
Comments
0 comments
Please sign in to leave a comment.