I'm trying to determine if Azure Smart Lockout features are now available for B2C as of today? I've found older documents discussing it, but I'm unable to find any official word if it is now available. In the B2C tenant, under AD, Authentication methods is showing and you can open it up. However, it says its in Preview and everything greyed out. Does this mean that it will be available in B2C soon to be able to control lockout parameters? Azure Smart Lockout documentation states that Smart Lockout will require minimum of AD Basic or high account to function. Does anyone know if the B2C tenant will require its own lic or will a lic in the base subscription cover it?
Thx
If you are referring to Azure AD smart lockout being available for the local accounts in an Azure AD B2C tenant, then currently this isn't available.
Also note, the Azure AD Basic and Premium licenses aren't applicable to an Azure AD B2C tenant (in fact, the "Licenses" menu should be disabled).
Similar functionality to "smart lockout" is available in a B2C tenant, but isn't (yet) customisable.
Screenshot below of testing getting locked out after entering the password incorrectly 10 times (the default setting).
According to Microsoft docs (https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-threat-management)
Azure AD B2C uses a sophisticated strategy to lock accounts. The accounts are locked based on the IP of the request and the passwords entered. The duration of the lockout also increases based on the likelihood that it's an attack. After a password is tried 10 times unsuccessfully, a one-minute lockout occurs.
[cut]
Currently, you can't:
Trigger a lockout with fewer than 10 failed logins
Retrieve a list of locked out accounts
Configure the lock out policy
Azure Smart Lockout features are available for B2C. See this article for details.
I wasn't able to save those values for some of my B2C tenants from Azure portal, but i was able to change Lockout threshold and lockout duration using Graph API using instructions from this post.
Related
I am using AzureAD. And I am implementing MFA.
I know that if the user ID and password login fails a certain number of times, it locks me out.
However, repeated failures in MFA after passing user ID and password authentication will not lock out the user.
Repeated failures on the MFA screen will return you to the initial login screen.
Is this a specification?
If it is possible to lock out even with MFA, please let me know how.
Yes, lockout feature is available in Azure AD MFA. Please note that this feature is applied only when the users use PIN code for the MFA prompt.
In order to configure this feature, you need administrator role.
Based on the number of failure trials you provided in settings, account lockout happens respectively.
To configure this feature, please follow below steps:
Go to Azure Portal -> Azure Active Directory -> Security -> Multifactor authentication -> Account lockout
In the above fields, enter the number based on your requirement and Save.
Like this, you can configure lockout feature in Azure AD MFA.
Make sure to use PIN for MFA authentication.
Complete credits to below Microsoft Doc:
Configure Azure AD Multi-Factor Authentication - Azure Active Directory - Microsoft Entra | Microsoft Docs
In order to protect B2C accounts from brute force password attacks, I followed this Microsoft Documentation: https://learn.microsoft.com/en-us/azure/active-directory-b2c/threat-management
I'm currently experiencing these issues with custom policies and the smart lockout feature:
The number of invalid unique password attempts that are allowed are inconsistent. I have it set for a threshold of 5, but it seems to be 5 or more.
The lockout period doesn't seem to be respected. Immediately after getting locked out (see Screenshot of Account Locked Error), B2C allows me to sign in on the very next attempt, even though the configured lockout time hasn't been met.
Screenshot of Account Locked Error
Screenshot of Azure B2C Password Protection settings
Are there any other settings I have to configure or custom policy modifications I need to make in order for this to work properly/consistently? I've been able to reproduce this inconsistency in 3 different Azure AD B2C tenants. The custom policies use the login-NonInteractive technical profile to complete the login. The policies that were the original starting point were pulled from the Azure AD B2C Custom Policy Stater Pack: https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
Any help is greatly appreciated, Thanks!
We are testing MFA on Azure AD B2C using the sample found here: https://github.com/azure-ad-b2c/samples/tree/master/policies/mfa-unknown-devices
We know it can be done via the Azure Portal, but it is not an option for us to give customers access to our tenant (customer self service).
Previous posts pointed me to wait for an update from Graph API, and we are playing with the beta now: https://learn.microsoft.com/en-us/graph/api/resources/authenticationmethods-overview?view=graph-rest-beta
Running Get authenticationMethod only shows Azure AD B2C users with MFA enabled as having password authentication, no phone number.
Anyone been able to get the beta Graph API working with Azure AD B2C MFA or come up with a workaround clearing/updating phone numbers?
Since Graph API does not appear to be the answer, we were able to find a sample Azure AD B2C custom policy that allows a user to edit their phone number. To get a "reset" functionality, we added a check for a claim that would designate the user needs to reenroll in MFA and then trigger this workflow.
https://github.com/azure-ad-b2c/samples/tree/master/policies/edit-mfa-phone-number
MS Graph API does not support this operation for B2C. Please go through MSDN documentation which can give you more information about Microsoft Graph operations available for Azure AD B2C.
Is there a way to configure account lock-in Azure AD B2C?
As of my research, I was able to find out that azure locks the account after 10 unsuccessful login attempts and locks it for 60 seconds. But I want to configure the number of attempts to 5, the account to be locked forever and won't display a message to the user to call our customer care or follow certain steps to get the account unlocked. I want a graph API call to unlock the clocked account.
Any pointers in this regard will be helpful.
Thanks in advance
I don't believe you can configure this lockout information using either the Azure Portal or the Azure AD Graph API.
(I wish, in future, Azure AD B2C allows customization of the smart lockout values that are supported by Azure AD.)
I am currently working on a B2C setup for my company.
In our Azure AD account, I have an email, say myemail#mycompany.com, which has a password.
I also have a Microsoft Live account using the same email, myemail#mycompany.com, which has a different password.
I have created a B2C setup using the following documentations.
https: //learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-msa-app
https: //azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-setup-msa-app/
https: //azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-app-registration/
After doing the B2C set up, I am able to obtain a link, below is an example.
https ://login.microsoftonline.com/mycompany.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_signin1&client_Id=&nonce=defaultNonce&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=form_post&scope=openid&response_type=id_token&prompt=login
In my Azure setup, I already have both emails (Azure AD and Microsoft Live) added to my list of users.
My problem is, when I use the link generated from my B2C setup, it only seems to allow me to sign in using the Microsoft Live account (which has a different password from my Azure AD account).
Is there a way, or a configuration, which will allow my B2C setup to invoke the sign in page to choose either my Personal (Microsoft Live account) or work or school (Azure AD) account?
At the moment, B2C does not properly support work accounts from AAD (ironic, eh?). You're correct in that personal accounts from MSA work just fine.
In B2C, you can add "local accounts" as an IDP, which will allow users listed in your tenant to sign into the app. I can't actually recall if that local account option allows you to sign in with a work account in your B2C tenant. You could give it a try if that's what you need. Most people however need proper support for AAD tenants, where work accounts are a dedicated option on the "IDP selection" screen. B2C doesn't have that today.
I do have a scratched together sample .NET app on my GitHub that shows how you can add support for work accounts and B2C in the same app. It's not pretty, but it works.
As for the same email/different password problem. Even adding the above support won't help. We don't expect that users will really be able to decipher a "work Microsoft account" button from a "personal Microsoft account" button. So, we are doing work to eliminate these situations, by limiting the number of users who get into such a situation and by providing an account linking option for those that are.
We do plan to support AAD work accounts in the near future. Sometimes your own family members are the hardest to work with.
If you feel so inclined, you can add your feature requests to https://feedback.azure.com/forums/169401-azure-active-directory/category/160596-b2c