cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure AD B2C Custom Policies Password Protection Smart Lockout feature is not working as intended

chris-swapoo
Copper Contributor

‎Sep 14 2021 08:50 PM - last edited on ‎Jan 14 2022 04:56 PM by

‎Sep 14 2021 08:50 PM - last edited on ‎Jan 14 2022 04:56 PM by

Azure AD B2C Custom Policies Password Protection Smart Lockout feature is not working as intended

My team is trying to implement an account lockout based on the number of login attempts. In Azure AD B2C > Authentication Methods > Password Protection we changed the lockout threshold to 3 and lockout duration in seconds to 180 (3 mins). Then we tried it using our custom policy for sign-in, ran the policy directly from the portal with https://jwt.ms as a reply url.

 

Here are some of the issues we came across while testing, one is that the account is never locked out even after 10 tries. Yes we are fully aware of the smart lockout feature, so we used a strong password generator for testing. But still, the account is never locked out.

 

Then we found a quick fix/workaround in stackoverflow. After implementing the quick fix, the user's account is getting locked out after 3 tries. But this is not consistent, sometimes the account is locked out after 3 tries sometimes after 4 or 5. And also, after the account has locked out there are occurrences that we can still successfully login right after the error message shows up that the account is locked out .

 

Our questions are, is there an existing issue on Azure's side that prevents the use of account lockout feature in Azure AD B2C custom policies? If not, are we missing something when were setting up / configuring account lockout in Azure AD B2c > Authentication Methods > Password Protection in the portal? Do we need to add / remove something in our custom policies? Or are there other solutions for implementing account lockout based on number of login attempts?

 

If there are no fixes / workarounds based on the previously mentioned questions, can we instead implement the account lockout feature using JavaScript?

6,719 Views
0 Likes
3 Replies
Reply
3 Replies
itrocket

‎Nov 19 2021 12:52 PM

‎Nov 19 2021 12:52 PM

Re: Azure AD B2C Custom Policies Password Protection Smart Lockout feature is not working as intende

@chris-swapooWe are having the exact same issue. Even when accounts are reported to be locked out, they can still be logged into right after the lock out message.

0 Likes
Reply
RobertSam

‎May 25 2022 02:00 PM

‎May 25 2022 02:00 PM

Re: Azure AD B2C Custom Policies Password Protection Smart Lockout feature is not working as intende

We are using b2c custom policy and we have the same issue that account locked out message is shown but the next correct attempt allows the user to sign in (The account is not getting locked out)
0 Likes
Reply
Sotsos15

‎Dec 08 2022 11:30 PM

‎Dec 08 2022 11:30 PM

Re: Azure AD B2C Custom Policies Password Protection Smart Lockout feature is not working as intende

According to the documentation, when you test smart lockout, your sign-in requests might be handled by different datacenters due to the geo-distributed and load-balanced nature of the Azure AD authentication service. In that scenario, because each Azure AD datacenter tracks lockout independently, it might take more than your defined lockout threshold number of attempts to cause a lockout.
0 Likes
Reply