Azure AD B2C custom policy check if account is locked - azure-ad-b2c

Is it possible to check if the user is in account locked state and within the account lockout duration?
The requirement is to provide an error to the user that account is locked and he/she needs to wait until lockout duration is completed on custom sign in journey. During the lockout period even if the user enters a correct password we should not let them in. I checked user attributes but could not find a corresponding attribute to work with. Is accountEnabled the right one to check? Is it possible to use
AAD-UserReadUsingEmailAddress-emailAddress
as a first step before login-noninteractive kicks in and read
accountEnabled
attribute and provide a custom message and stop the flow if it is set to false? If this attribute is not designed for locked state which attribute/way to use for this purpose?

You need to:
Have a self asserted screen that asks for the email address
Call a user read by email address - add accountEnabled as an output if not there
Check accountEnabled. If false check the time. If within lockout period, display error message.
If not, call login-noninteractive.
Set accountEnabled to true

Related

ADB2C password expiration notification

Is there a way for local ADB2C users to receive password expiration notifications to their email?
We are planning to set the DisablePasswordExpiration flag to false, but it's not clear if users will be getting notified that their password is about to expire.
The only way I can think to do this is to run a script on all users to set extension_passwordResetOn claim to the current date and time as per this sample.
Then every time the user logs on, get the date. When it's got to (say) 80 days, call a REST API in the custom policy to send an email stating "Password will expire in 10 days".
Yes, For Local Account users in AzureAD B2C tenant we can set notification for exipring password by applying the password policy.
Note: This Password policy won't apply on External Users.
Steps to Set password expiration policy.
In the Microsoft 365 admin center, go to the Security & privacy tab under Org Settings. If you aren't a global admin, you won't see the
Security and privacy option.
Select Password expiration policy.
If you don't want users to have to change passwords, uncheck the box next to Set user passwords to expire after a number of days.
Type how often passwords should expire. Choose a number of days from 14 to 730.
In the second box type when users are notified that their password will expire, and then select Save. Choose a number of days from 1 to 30.
Reference from MS Document , Please have a look in Set password expiration policy

How to check if phone number is already registered with custom policies adb2c

I am implementing MFA custom policy with Email or Phone option. I want to restrict user to login if phone number is not registered. In my current implementation it is showing a screen to input new number if it is not registered yet , I wanted to restrict user from adding new mobile if not found.
I tried playing with orchestration steps but not able to find the correct output claim to check if user is already registered or not?
You can’t really check per se, AAD B2C has a built in uniqueness checker if you write to the identifier field - signInNames. You can store the phone number in signInNames.phoneNumber and then your uniqueness check is handled by the policy itself when you try to write the value. That prevents any user enrolling a phone number that already exists on another account.

ClaimTransformation to update an integer value

I need to create a custom policy to record the number of failed signin request for a user. After 5 failed signins in a row, the account needs to be disabled.
My approach was to use a B2C user attribute to record the number of signin failures, but I cannot find a way to increment the user attribute. How would I do this using custom policies?
What you want to achive is available out of box.
Please use https://learn.microsoft.com/en-us/azure/active-directory-b2c/threat-management#manage-password-protection-settings to automatically lock account when wrong password is entered.

In Azure AD, how to exclude a subset of users from requiring authentication info when first signing in

In my Azure AD tenant, I currently have it configured so that users logging in for the first time must register at least one authentication method (e.g. an alternate email, a phone number). This is useful for MFA and self-service password reset (SSPR) - screenshot here.
I want to have several non-interactive service accounts that will not be configured for either MFA or for SSPR. Therefore, these non-interactive service accounts do not need alternate authentication methods. However, under my current setting, these service accounts are prompted to enter alternate authentication methods on first login:
First with the "More Info Required" screen (screenshot), which you
cannot cancel out of
And then with the "don't lose access to your
account!" screen (screenshot), which actually does allow for the user
to cancel the operation
This is extra inconvenient because, when adding an email, email verification is required, which doesn't allow us to do this programmatically (screenshot).
If I do just click "Cancel" on the "don't lose access to your account!" screen, I can simply proceed to sign-in without inputting alternate authentication methods (screenshot).
So the question is: how can I exclude a certain subset of users (e.g. non-interactive service accounts) from requiring alternate authentication info when first signing in?
We can include only a certain subset of groups for SSPR under Password Reset->Properties. This feature does not have an "Exclude" list, which makes it more difficult to implement.
More details in an MSDN forums post:
https://social.msdn.microsoft.com/Forums/en-US/51affd2c-a2c8-4faa-bbd8-bd1773c985d4/how-to-exclude-a-subset-of-users-from-requiring-authentication-info-when-first-signing-in?forum=WindowsAzureAD&prof=required

Azure AD B2C - Retrieve account lockout time

After N failed login attempts with a wrong password the account get's locked.
Documentation says the lockout interval increases after further failed login attempts: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout#manage-azure-ad-smart-lockout-values
Is there a way to query this information, how long the account is still locked? With Graph API for instance.
I would like to show this information to the user.
The subsequent lockouts duration times are not published. Its also not recommended to create customized error messages providing a possible attacker the lockout period. However, please free to provide your # https://feedback.azure.com/forums/169401-azure-active-directory.

Resources