New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Any updates on allowing custom lockout policies? #33679
Comments
@nezoic Thanks for your feedback! We will investigate and update as appropriate. |
We're currently looking into this issue @nezoic and wil get back to you as soon as possible. |
Currently there is no specific AAD B2C Custom policy for password lockout. However, you can use the tenant ad lockout policy, and you can adjust this for b2c via the Azure Graph API. And soon via the Azure AD Blade, just like in Azure AD today. Changing the values via Graph API will reflect in the UI too. The Smart Lockout is a tenant wide setting. Go to https://developer.microsoft.com/en-us/graph/graph-explorer and login with the Global Admin account of the B2C directory, it must be @something.onmicrosoft.com. Make the following request with the JSON Body, where lockoutThreshold is used to determine the number of failed attempts to lockout an account.
Once complete, you can modify the settings by first getting the Id of the object created by running Then to update the settings: |
@FrankHu-MSFT Thanks! Does this also cover password reset attempts or would that fall under another policy/setting? |
@FrankHu-MSFT This doesn't appear to work. I successfully posted the same JSON in your example then did a GET and I see the LockoutThreshold is set to 2. After I failed 5 B2C logins, I could still login successfully. Am I missing something else? Edit: I just tried 15 failed login's and it never locked the account out. Shouldn't it fail after 10 by default? I think there may be a bug here. Edit: Turns out you have to use DIFFERENT passwords. Attempting to login with the same bad password will only count as one failed attempt no matter how many times you actually attempt it. Makes sense from a strictly brute force perspective. |
This is very important to meet certain regulatory guidelines in the financial industry. This single feature is preventing several clients of mine from being able to use B2C.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: