Any updates on allowing custom lockout policies?

[nezoic]

This is very important to meet certain regulatory guidelines in the financial industry. This single feature is preventing several clients of mine from being able to use B2C.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 2b526157-3403-0211-9fda-9072bda47466
• Version Independent ID: f0ab253a-616c-b1ae-62ba-45f6500e69dd
• Content: Manage threats to resources and data in Azure Active Directory B2C
• Content Source: articles/active-directory-b2c/active-directory-b2c-reference-threat-management.md
• Service: active-directory
• Sub-service: b2c
• GitHub Login: @mmacy
• Microsoft Alias: marsma

[SaurabhSharma-MSFT]

@nezoic Thanks for your feedback! We will investigate and update as appropriate.

[frankhu-2021]

We're currently looking into this issue @nezoic and wil get back to you as soon as possible.

[frankhu-2021]

Currently there is no specific AAD B2C Custom policy for password lockout.

However, you can use the tenant ad lockout policy, and you can adjust this for b2c via the Azure Graph API. And soon via the Azure AD Blade, just like in Azure AD today.

Changing the values via Graph API will reflect in the UI too. The Smart Lockout is a tenant wide setting.

Go to https://developer.microsoft.com/en-us/graph/graph-explorer and login with the Global Admin account of the B2C directory, it must be @something.onmicrosoft.com.

Make the following request with the JSON Body, where lockoutThreshold is used to determine the number of failed attempts to lockout an account.

POST https://graph.microsoft.com/beta/settings
{ 
  "templateId": "5cf42378-d67d-4f36-ba46-e8b86229381d", 
  "values": [ 
    { 
      "name": "LockoutDurationInSeconds", 
      "value": "300" 
    }, 
    { 
       "name": "LockoutThreshold", 
      "value": "2" 
    }, 
    { 
      "name" : "BannedPasswordList", 
      "value": "" 
    }, 
    { 
      "name" : "EnableBannedPasswordCheck", 
      "value": "false" 
    },
    {
      "name" : "BannedPasswordCheckOnPremisesMode",
      "value": "Audit"
    },
    {
     "name" : "EnableBannedPasswordCheckOnPremises",
           "value": "false" 
    }
  ] 
}

Once complete, you can modify the settings by first getting the Id of the object created by running
GET https://graph.microsoft.com/beta/settings

Then to update the settings:
PATCH https://graph.microsoft.com/beta/settings/<insert id>

[nezoic]

@FrankHu-MSFT Thanks! Does this also cover password reset attempts or would that fall under another policy/setting?

[nezoic]

@FrankHu-MSFT This doesn't appear to work. I successfully posted the same JSON in your example then did a GET and I see the LockoutThreshold is set to 2. After I failed 5 B2C logins, I could still login successfully. Am I missing something else?

Edit: I just tried 15 failed login's and it never locked the account out. Shouldn't it fail after 10 by default? I think there may be a bug here.

Edit: Turns out you have to use DIFFERENT passwords. Attempting to login with the same bad password will only count as one failed attempt no matter how many times you actually attempt it. Makes sense from a strictly brute force perspective.