365 Access Policy Violation

Alert title: “Access Policy Violation”

Description: Alerts if an otherwise successful login (user/pass worked) – was blocked due a Conditional Access Policy.

Options:

• It is possible to ignore users
• It is possible to ignore login from specific IP addresses

The problem: This alert is triggered when an otherwise successful login (user/password worked) – was blocked by a Conditional Access Policy. 

Impact: This could be a sign of a compromised account. If this is the case, the attacker may try to further by-pass the Conditional Access Policies.    This may lead to a compromised account.

Suggested steps: Engage a technician to confirm that the alert is accurate. Confirm if the event was a legitimate end user (failing a business rule) – or an un-authorised attacker.