Users with Office 365 administrator roles are very much sensitive users, and besides protecting them with various features such as Conditional Access and MFA, it might be interesting to know if someone tries to brute force or guess their credentials.
In this post I will walk you through how you can setup a policy in Cloud App Security, that automatically sends you an e-mail, if someone fails to provide the correct credentials for users with any Office 365 administrator role assigned.
- I’m assuming you are licensed for Cloud App Security and obviously have a work space created already. All the fun takes place at portal.cloudappsecurity.com
- Once logged into the Cloud App Security portal, navigate to Control -> Policies as illustrated below
- Cloud App Security comes with a lot of built in policies, but in this scenario, we are going to create a new Activity Policy on Create policy
- Name: O365 Admins Failed Logins
- Description: Create alert and send e-mail if correct credentials are failed to be provided for 3 consecutive tries for all O365 administrator roles
- Filters: In this example, I have chosen to only trigger an alert, if the wrong credentials are provided 3 times within 30 minutes
- Fill out the rest of the policy as shown below or make your own edits if necessary
- Finish off creating the new policy on Create
- The scenario is easily tested and the result is below alert received in your inbox.