I have a question regarding how network zone restrictions are implemented. We recently discovered evidence of a brute force attack on our Office 365 tenant originating from China, Singapore, and Hong Kong. Because our Office 365 tenant is federated to Okta, and Okta is federated to our AD, we had multiple users complaining of locked AD accounts.
I've implemented a network zone restriction at the Okta login policy level to not allow any logins from those specific countries (we don't have any users there), but will this prevent user accounts from being locked out? By examining the logs, it looks like the zone restriction is being applied after the authentication request happens (tested with a VPN that has an endpoint in Hong Kong), but I'm not quite sure of that. Is there a better way?
However, locking the Okta account is still a significant event for a user since we have many critical services integrated into Okta. I guess the original question still applies, would a brute force attack from a restricted network zone still trigger an Okta lockout?
The Okta account will become locked yes, but all the applications would still be assigned to the user and not deactivated (if lifecycle management is being used). You could as part of the password policy allow the users account to become unlocked after a set amount of time (shown below in the password policy definition), and you can also enable a self-service user unlock capability.