Suspicious IP Throttling
Suspicious IP throttling, which protect your tenant against suspicious logins targeting too many accounts from a single IP address, is enabled by default for all connections.
Triggers
Suspicious IP throttling is triggered when either of the following occur:
100 failed login attempts originate from the same IP address within 24 hours
50 signup attempts originate from the same IP address within a minute
Behavior
When triggered, suspicious IP throttling will:
Block suspicious IP addresses for 15 minutes.
Send an email notification (if configured) to account administrator(s)
For example, if any combination of users attempts to sign in from IP1 and fails to log in 100 times within 24 hours, then future login and signup attempts from IP1 will be blocked. Similarly, if any combination of users attempts to sign up 50 times within 1 minute from IP1, then future login and signup attempts from IP1 will be blocked.
If throttling is triggered, it can be removed by an administrator.
Configuration
You can configure suspicious IP throttling in the following ways:
Enable/disable traffic throttling from an IP address when a high number of login or signup attempts target too many accounts.
Configure a list of trusted IP addresses from which users can access your resources.
Enable/disable whether to notify account administrators by email when traffic is throttled on one or more IP addresses due to high-velocity traffic.
Special cases
Because suspicious IP throttling depends on the IP address of the user, the following use cases require additional configuration:
Using the Resource Owner Password Grant from the backend of an application: Using this call does not get the IP address of the user; however, to make suspicious IP throttling work correctly, you can configure your application to send the IP address of the user as part of the request. See Avoid Common Issues with Resource Owner Password Flow and Attack Protection: Send the user's IP address from your server.
Authenticating a large number of users from the same IP address: Users who are behind a proxy are more likely to reach set limits and trigger throttling. You can avoid erroneously triggering throttling by configuring an AllowList for the proxy's IP and CIDR range. See Avoid Common Issues with Resource Owner Password Flow and Attack Protection: Configure your Application to trust the IP address.