Sep 14 2021
- last edited on
Jan 14 2022
My team is trying to implement an account lockout based on the number of login attempts. In Azure AD B2C > Authentication Methods > Password Protection we changed the lockout threshold to 3 and lockout duration in seconds to 180 (3 mins). Then we tried it using our custom policy for sign-in, ran the policy directly from the portal with https://jwt.ms as a reply url.
Here are some of the issues we came across while testing, one is that the account is never locked out even after 10 tries. Yes we are fully aware of the smart lockout feature, so we used a strong password generator for testing. But still, the account is never locked out.
Then we found a quick fix/workaround in stackoverflow. After implementing the quick fix, the user's account is getting locked out after 3 tries. But this is not consistent, sometimes the account is locked out after 3 tries sometimes after 4 or 5. And also, after the account has locked out there are occurrences that we can still successfully login right after the error message shows up that the account is locked out .
Our questions are, is there an existing issue on Azure's side that prevents the use of account lockout feature in Azure AD B2C custom policies? If not, are we missing something when were setting up / configuring account lockout in Azure AD B2c > Authentication Methods > Password Protection in the portal? Do we need to add / remove something in our custom policies? Or are there other solutions for implementing account lockout based on number of login attempts?
Nov 19 2021 12:52 PM
@chris-swapooWe are having the exact same issue. Even when accounts are reported to be locked out, they can still be logged into right after the lock out message.
May 25 2022 02:00 PM