A customer reported that after investigating an identity attack and creating a rule to disallow a VPN or location, the account can lock again because the system appears to evaluate earlier activity from that same VPN or location.
This creates a confusing experience because the default rule timing says “Starts Immediately,” which suggests the rule should only apply going forward from the moment it is created. Instead, it can appear to act on past events, which feels misleading and can interrupt remediation efforts.
The requested improvement is for newly created VPN or location rules to trigger only on events that occur after the rule creation time. If historical evaluation is intended behavior, the product wording should be updated so the expectation is clear before the rule is saved.
This change would reduce confusion, prevent avoidable re-lockouts, and better support admins who are trying to quickly investigate and restore access during an active incident.