Receive an e-mail alert if an Office 365 Administrator repeatedly fails to provide correct credentials

by
post views: 3,761

Introduction

Users with Office 365 administrator roles are very much sensitive users, and besides protecting them with various features such as Conditional Access and MFA, it might be interesting to know if someone tries to brute force or guess their credentials.

In this post I will walk you through how you can setup a policy in Cloud App Security, that automatically sends you an e-mail, if someone fails to provide the correct credentials for users with any Office 365 administrator role assigned.

Sneak peek at the Cloud App Security portal displaying the alert created during this guide

Configuration

  • I’m assuming you are licensed for Cloud App Security and obviously have a work space created already. All the fun takes place at portal.cloudappsecurity.com
  • Once logged into the Cloud App Security portal, navigate to Control -> Policies as illustrated below

  • Cloud App Security comes with a lot of built in policies, but in this scenario, we are going to create a new Activity Policy on Create policy

  • Name: O365 Admins Failed Logins
  • Description: Create alert and send e-mail if correct credentials are failed to be provided for 3 consecutive tries for all O365 administrator roles
  • Filters: In this example, I have chosen to only trigger an alert, if the wrong credentials are provided 3 times within 30 minutes

  • Fill out the rest of the policy as shown below or make your own edits if necessary

  • Finish off creating the new policy on Create

The e-mail

  • The scenario is easily tested and the result is below alert received in your inbox.

Enjoy 🙂

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.