Behavior of network zone restrictions Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Matthew McLaughlinMatthew McLaughlin 

Behavior of network zone restrictions

I have a question regarding how network zone restrictions are implemented.  We recently discovered evidence of a brute force attack on our Office 365 tenant originating from China, Singapore, and Hong Kong.  Because our Office 365 tenant is federated to Okta, and Okta is federated to our AD, we had multiple users complaining of locked AD accounts.

I've implemented a network zone restriction at the Okta login policy level to not allow any logins from those specific countries (we don't have any users there), but will this prevent user accounts from being locked out?  By examining the logs, it looks like the zone restriction is being applied after the authentication request happens (tested with a VPN that has an endpoint in Hong Kong), but I'm not quite sure of that.  Is there a better way?
Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Matthew
To avoid locked AD account, consider setting the Okta Lock Out lower than the AD Lock Out, so only the Okta account will get locked. Search this document:
for "Preventing Active Directory account lockouts" for more info.
Matthew McLaughlinMatthew McLaughlin
This is helpful, thanks.  I'll check that setting.

However, locking the Okta account is still a significant event for a user since we have many critical services integrated into Okta.  I guess the original question still applies, would a brute force attack from a restricted network zone still trigger an Okta lockout?
Kevin TurnerKevin Turner (Okta, Inc.)
The Okta account will become locked yes, but all the applications would still be assigned to the user and not deactivated (if lifecycle management is being used). You could as part of the password policy allow the users account to become unlocked after a set amount of time (shown below in the password policy definition), and you can also enable a self-service user unlock capability.

User-added image