Azure AD B2C Custom Policies Password Protection Smart Lockout feature is not working as intended

New Contributor

My team is trying to implement an account lockout based on the number of login attempts. In Azure AD B2C > Authentication Methods > Password Protection we changed the lockout threshold to 3 and lockout duration in seconds to 180 (3 mins). Then we tried it using our custom policy for sign-in, ran the policy directly from the portal with https://jwt.ms as a reply url.

 

Here are some of the issues we came across while testing, one is that the account is never locked out even after 10 tries. Yes we are fully aware of the smart lockout feature, so we used a strong password generator for testing. But still, the account is never locked out.

 

Then we found a quick fix/workaround in stackoverflow. After implementing the quick fix, the user's account is getting locked out after 3 tries. But this is not consistent, sometimes the account is locked out after 3 tries sometimes after 4 or 5. And also, after the account has locked out there are occurrences that we can still successfully login right after the error message shows up that the account is locked out .

 

Our questions are, is there an existing issue on Azure's side that prevents the use of account lockout feature in Azure AD B2C custom policies? If not, are we missing something when were setting up / configuring account lockout in Azure AD B2c > Authentication Methods > Password Protection in the portal? Do we need to add / remove something in our custom policies? Or are there other solutions for implementing account lockout based on number of login attempts?

 

If there are no fixes / workarounds based on the previously mentioned questions, can we instead implement the account lockout feature using JavaScript?

2 Replies

@chris-swapooWe are having the exact same issue. Even when accounts are reported to be locked out, they can still be logged into right after the lock out message.

We are using b2c custom policy and we have the same issue that account locked out message is shown but the next correct attempt allows the user to sign in (The account is not getting locked out)