Azure AD B2C Custom Policies Password Protection Smart Lockout feature is not working as intended

%3CLINGO-SUB%20id%3D%22lingo-sub-2751397%22%20slang%3D%22en-US%22%3EAzure%20AD%20B2C%20Custom%20Policies%20Password%20Protection%20Smart%20Lockout%20feature%20is%20not%20working%20as%20intended%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2751397%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20team%20is%20trying%20to%20implement%20an%20account%20lockout%20based%20on%20the%20number%20of%20login%20attempts.%20In%20Azure%20AD%20B2C%20%26gt%3B%20Authentication%20Methods%20%26gt%3B%20Password%20Protection%20we%20changed%20the%20%3CSTRONG%3Elockout%20threshold%26nbsp%3B%3C%2FSTRONG%3Eto%203%20and%26nbsp%3B%3CSTRONG%3Elockout%20duration%20in%20seconds%3C%2FSTRONG%3E%20to%20180%20(3%20mins).%20Then%20we%20tried%20it%20using%20our%20custom%20policy%20for%20sign-in%2C%20ran%20the%20policy%20directly%20from%20the%20portal%20with%20%3CA%20href%3D%22https%3A%2F%2Fjwt.ms%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fjwt.ms%3C%2FA%3E%26nbsp%3Bas%20a%20reply%20url.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20are%20some%20of%20the%20issues%20we%20came%20across%20while%20testing%2C%20one%20is%20that%20the%20account%20is%20never%20locked%20out%20even%20after%2010%20tries.%20Yes%20we%20are%20fully%20aware%20of%20the%26nbsp%3B%3CSTRONG%3Esmart%20lockout%3C%2FSTRONG%3E%20feature%2C%20so%20we%20used%20a%20strong%20password%20generator%20for%20testing.%20But%20still%2C%20the%20account%20is%20never%20locked%20out.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20we%20found%20a%20quick%20fix%2Fworkaround%20in%20%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fquestions%2F65802966%2Fazure-ad-b2c-custom-policy-not-returning-account-lockout-error-50053%23comment116482527_65802966%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Estackoverflow%3C%2FA%3E.%20After%20implementing%20the%20quick%20fix%2C%20the%20user's%20account%20is%20getting%20locked%20out%20after%203%20tries.%20But%20this%20is%20not%20consistent%2C%20sometimes%20the%20account%20is%20locked%20out%20after%203%20tries%20sometimes%20after%204%20or%205.%20And%20also%2C%20after%20the%20account%20has%20locked%20out%20there%20are%20occurrences%20that%20we%20can%20still%20successfully%20login%20right%20after%20the%20error%20message%20shows%20up%20that%20the%20account%20is%20locked%20out%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20questions%20are%2C%20is%20there%20an%20existing%20issue%20on%20Azure's%20side%20that%20prevents%20the%20use%20of%20account%20lockout%20feature%20in%20Azure%20AD%20B2C%20custom%20policies%3F%20If%20not%2C%20are%20we%20missing%20something%20when%20were%20setting%20up%20%2F%20configuring%20account%20lockout%20in%20Azure%20AD%20B2c%20%26gt%3B%20Authentication%20Methods%20%26gt%3B%20Password%20Protection%20in%20the%20portal%3F%20Do%20we%20need%20to%20add%20%2F%20remove%20something%20in%20our%20custom%20policies%3F%20Or%20are%20there%20other%20solutions%20for%20implementing%20account%20lockout%20based%20on%20number%20of%20login%20attempts%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20there%20are%20no%20fixes%20%2F%20workarounds%20based%20on%20the%20previously%20mentioned%20questions%2C%20can%20we%20instead%20implement%20the%20account%20lockout%20feature%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-b2c%2Fjavascript-and-page-layout%3Fpivots%3Db2c-custom-policy%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eusing%20JavaScript%3C%2FA%3E%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2751397%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%20B2C%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECustom%20Policies%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPassword%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

My team is trying to implement an account lockout based on the number of login attempts. In Azure AD B2C > Authentication Methods > Password Protection we changed the lockout threshold to 3 and lockout duration in seconds to 180 (3 mins). Then we tried it using our custom policy for sign-in, ran the policy directly from the portal with https://jwt.ms as a reply url.

 

Here are some of the issues we came across while testing, one is that the account is never locked out even after 10 tries. Yes we are fully aware of the smart lockout feature, so we used a strong password generator for testing. But still, the account is never locked out.

 

Then we found a quick fix/workaround in stackoverflow. After implementing the quick fix, the user's account is getting locked out after 3 tries. But this is not consistent, sometimes the account is locked out after 3 tries sometimes after 4 or 5. And also, after the account has locked out there are occurrences that we can still successfully login right after the error message shows up that the account is locked out .

 

Our questions are, is there an existing issue on Azure's side that prevents the use of account lockout feature in Azure AD B2C custom policies? If not, are we missing something when were setting up / configuring account lockout in Azure AD B2c > Authentication Methods > Password Protection in the portal? Do we need to add / remove something in our custom policies? Or are there other solutions for implementing account lockout based on number of login attempts?

 

If there are no fixes / workarounds based on the previously mentioned questions, can we instead implement the account lockout feature using JavaScript?

0 Replies