JohnN.03536 (Customer) asked a question.
We have been trying to setup a layered mechanism to limit logons against our Okta tenant and enabled Apps. While I recognize that Okta has some additional services we could utilize to simplify this; at this time, this is where we're at.
We have the following "Networks" setup:
- Dynamic Blacklisted Zone: - manually updated with countries we see high 'failed logins from'
- A Home Network Zone: "the corporate offices"
- A Lower Threat zone: locations employees frequently travel to
Globally:
- We have a Sign-on rule that states IF login isn't from "Low Threat Zone" deny it
At an application level
- Per app we have a few rules that prompt a select groups for MFA if the user is not in the Home Network Zone.
Now my issue is this. The Lower threat zone is a very small group of countries (North America and Korea for example). I know for a fact that I have had employees travel to Europe and be able to continue to use applications (O365 specifically) without running into the "Lower Threat" zone denial.
However today I had two employees that went to Europe and specifically they were attempting to use the Box app and were being denied based on the Lower Threat zone block.
My question / theory is that the way the O365 apps manage authentication is not "doing a full authentication" process? and therefore not running into the Lower Threat zone block? Though the "successful" process for both (once I added the country in question to the lower-threat zone) looks identical.
Welcome to Okta Help Center.
Are you also using by any chance Behavioral Detection to help out with filtering logins? It's a bit tricky to see exactly how the sign-on policies get triggered without seeing the login process itself but pre-evaluation of the sign on policy might be in effect to discourage and help mitigate spray/brute force attacks. If you want to discuss more in depth, please open up a Support ticket with us.
Best regards,
Vlad Huma
Technical Support Engineer