I have a custom B2C login flow and I have set the "Authentication methods | Password protection" lockout threshold to 5. When I use the flow I am expecting to be locked out after I have 5 failed logins. The first 5 fails are reported as invalid username/password, and I was expecting to get a "account locked" response on the 6th failure, but I just get the invalid username/password response. Why isn't this working as expected?
I try Password Protection by following this link. And it works well.
Maybe you miss the two details.
Note:
Entering the same password repeatedly doesn't count as multiple unsuccessful logins.
select Azure AD B2C -> Security, but not Azure Active Directory -> Security
Related
I am using AzureAD. And I am implementing MFA.
I know that if the user ID and password login fails a certain number of times, it locks me out.
However, repeated failures in MFA after passing user ID and password authentication will not lock out the user.
Repeated failures on the MFA screen will return you to the initial login screen.
Is this a specification?
If it is possible to lock out even with MFA, please let me know how.
Yes, lockout feature is available in Azure AD MFA. Please note that this feature is applied only when the users use PIN code for the MFA prompt.
In order to configure this feature, you need administrator role.
Based on the number of failure trials you provided in settings, account lockout happens respectively.
To configure this feature, please follow below steps:
Go to Azure Portal -> Azure Active Directory -> Security -> Multifactor authentication -> Account lockout
In the above fields, enter the number based on your requirement and Save.
Like this, you can configure lockout feature in Azure AD MFA.
Make sure to use PIN for MFA authentication.
Complete credits to below Microsoft Doc:
Configure Azure AD Multi-Factor Authentication - Azure Active Directory - Microsoft Entra | Microsoft Docs
In order to protect B2C accounts from brute force password attacks, I followed this Microsoft Documentation: https://learn.microsoft.com/en-us/azure/active-directory-b2c/threat-management
I'm currently experiencing these issues with custom policies and the smart lockout feature:
The number of invalid unique password attempts that are allowed are inconsistent. I have it set for a threshold of 5, but it seems to be 5 or more.
The lockout period doesn't seem to be respected. Immediately after getting locked out (see Screenshot of Account Locked Error), B2C allows me to sign in on the very next attempt, even though the configured lockout time hasn't been met.
Screenshot of Account Locked Error
Screenshot of Azure B2C Password Protection settings
Are there any other settings I have to configure or custom policy modifications I need to make in order for this to work properly/consistently? I've been able to reproduce this inconsistency in 3 different Azure AD B2C tenants. The custom policies use the login-NonInteractive technical profile to complete the login. The policies that were the original starting point were pulled from the Azure AD B2C Custom Policy Stater Pack: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
Any help is greatly appreciated, Thanks!
I'm trying to set a phone number for a user for MFA:
This gives me the error:
"Partial failure in authentication methods update Unable to update
phone methods for user"
Why is that? The phone number is still stored. Am I correct the number in the field is stored into strongAuthenticationPhoneNumber property which cannot be read?
It appears that there is something wrong with this feature in Azure Portal currently and it also exists in Azure AD (Not just in B2C).
If you are using admin account which is a guest user, the backend will give an error: 401 Unauthorized. But the update will be successful.
If a normal admin account is used, the update will be successful without any errors.
I have a web application that authenticates with my B2C tenant with MFA turned on at the Sign-In Policy level [at this point MFA is disabled at User Level] and the policy is configured to use "username" to login. The application works fine and the user is able to login ... What I am trying to accomplish is to have MFA at user level meaning only certain users will be able to use MFA while others will be able to login without MFA.
The problem that I am facing is, when I turn on MFA at User Level and turn off MFA at Sign-In Policy level
mfa at user level
after the first password authentication screen the redirect to multi factor authentication screen where it asks the user to send code to is failing. Instead it is going back to the first password authentication screen and seems to be in a loop. When both MFAs are turned off, it works fine with the password authentication and user is able to login to the application. When both are turned on, it’s the same behavior where it goes back to the first password screen in a loop. Am I missing something here, or is it even possible to do this
Azure AD B2C does not have out-of-the-box support for user-level MFA.
The UI you referenced is from enterprise Azure AD, and while it shows up for Azure AD B2C as well, as you've noticed, won't work.
The best approximation to what you are looking for is having two policies, one with MFA and one without MFA. You would have to implement your own mapping table and for users through the appropriate policy.
I'm using Active Directory B2C with local identity supplier with username and the directives that I'm using are: Sign-up or sign-in policies, Password reset policies both with Custom Templates.
When I try to recover the password everything works out fine until I do the verification code. When the verification code works in the e-mail and then press "continue" this is the error that's presented:
Bad Request
URL:
https://login.microsoftonline.com/prosamx.onmicrosoft.com/B2C_1_ResetPwd/api/SelfAsserted/error?code=UX016&desc=OK&csrf_token=Y1BjMjF2TjdMVm5MbXhyLyt4MHFzUlVsQzcyUXA2VVVZUDVoQml6S20xL2JQd3ppbHZadTBVaHl2ZTlMMUx1YkJSUkZTeVhnY2grL2lPZ3F1OE92Q1E9PTsyMDE3LTA1LTAyVDE4OjQ4OjQ2LjM5MTU4NDRaO09ZV2hNTEpoT2RYMUQwWllkLzVoSlE9PTt7IlRhcmdldEVudGl0eSI6IlBhc3N3b3JkUmVzZXRVc2luZ1VzZXJOYW1lRXhjaGFuZ2UiLCJPcmNoZXN0cmF0aW9uU3RlcCI6Mn0=&tx=eyJUSUQiOiI4MGRjODIwMC05MjA1LTRlODEtOTIyNy00NTNkMzRjNGQ3ZTUifQ&p=B2C_1_ResetPwd
This happens when used the username at the local identity provider
I hope you can help me out.
Thanks, regards.
Password reset depends on a StrongAuthenticationEmail property on the user object and uses that to verify to do the Email address based OTP before allowing a self-service Password Reset.
If your users used the signup flow we ship out of the box to register, when the signup flow verifies the email address, b2c writes that into the StrongAuthenticationEmail property.
Based on looking at your tenant, itseems the users do not have this property set. For userName based accounts, without this property there is no other way to do self-service password reset. This can happen because the user's were created by a flow that directly calls AAD Graph API outside of the signup flow we offer, or you have turned off email address validation as part of the signup flow.
Thank you for reporting this issue - we will fix the error message so that it clearly states what the problem is for self-diagnosis.
Thank you,
Vikram.
I am getting a similar unhelpful error of "Bad Request" on signup. I verify the email address via the verification code, fill out all the fields and then bam - get the error.
https://login.microsoftonline.com//B2C_1_Login-UserName/api/SelfAsserted/error
?code=UX016
&desc=OK
&csrf_token=
&p=B2C_1_Login-UserName