Is it possible to set "Account lockout threshold" and "Lockout duration" for a sign in policy in azure ad b2c?
Thanks in advance.
No, I don't believe you can configure these lockout settings, using either the Azure Portal or the Azure AD Graph API.
(I hope, in future, Azure AD B2C allows customization of the smart lockout values that are supported by Azure AD.)
Related
I'm trying to determine if Azure Smart Lockout features are now available for B2C as of today? I've found older documents discussing it, but I'm unable to find any official word if it is now available. In the B2C tenant, under AD, Authentication methods is showing and you can open it up. However, it says its in Preview and everything greyed out. Does this mean that it will be available in B2C soon to be able to control lockout parameters? Azure Smart Lockout documentation states that Smart Lockout will require minimum of AD Basic or high account to function. Does anyone know if the B2C tenant will require its own lic or will a lic in the base subscription cover it?
Thx
If you are referring to Azure AD smart lockout being available for the local accounts in an Azure AD B2C tenant, then currently this isn't available.
Also note, the Azure AD Basic and Premium licenses aren't applicable to an Azure AD B2C tenant (in fact, the "Licenses" menu should be disabled).
Similar functionality to "smart lockout" is available in a B2C tenant, but isn't (yet) customisable.
Screenshot below of testing getting locked out after entering the password incorrectly 10 times (the default setting).
According to Microsoft docs (https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-threat-management)
Azure AD B2C uses a sophisticated strategy to lock accounts. The accounts are locked based on the IP of the request and the passwords entered. The duration of the lockout also increases based on the likelihood that it's an attack. After a password is tried 10 times unsuccessfully, a one-minute lockout occurs.
[cut]
Currently, you can't:
Trigger a lockout with fewer than 10 failed logins
Retrieve a list of locked out accounts
Configure the lock out policy
Azure Smart Lockout features are available for B2C. See this article for details.
I wasn't able to save those values for some of my B2C tenants from Azure portal, but i was able to change Lockout threshold and lockout duration using Graph API using instructions from this post.
Is there a way to configure account lock-in Azure AD B2C?
As of my research, I was able to find out that azure locks the account after 10 unsuccessful login attempts and locks it for 60 seconds. But I want to configure the number of attempts to 5, the account to be locked forever and won't display a message to the user to call our customer care or follow certain steps to get the account unlocked. I want a graph API call to unlock the clocked account.
Any pointers in this regard will be helpful.
Thanks in advance
I don't believe you can configure this lockout information using either the Azure Portal or the Azure AD Graph API.
(I wish, in future, Azure AD B2C allows customization of the smart lockout values that are supported by Azure AD.)
Is it possible to reset or change a user's password in Azure AD B2C Free Tier? If so, is there an example of how to do that?
This page seems to indicate that this is only available as paid options.
B2C is a separate service from Azure AD (though it runs on top of Azure AD).
The page you linked is for Azure AD, not B2C.
B2C allows users to reset their password by themselves if you enable the policy for that and configure it in your app: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies#create-a-password-reset-policy.
You can find pricing for B2C here: https://azure.microsoft.com/en-us/pricing/details/active-directory-b2c/
Are the identity protections in this article, Azure Active Directory Identity Protection, applicable to Azure AD B2C?
At this time, Azure AD B2C does not support Azure AD Identity Protection.
You can request this feature ask in the Azure AD B2C feedback forum.
Azure MFA documentation discusses a "trusted device" feature. Specifically, the ability for a user to select "remember me on this device" when the log in with MFA to avoid MFA for a given period of time on the same device.
Is this feature available using MFA through Azure AD B2C? If so, where is this documented?
At this time, Azure AD B2C's MFA feature does NOT support the ability to set a device as a "trusted device".
You can request this feature in the Azure AD B2C feedback forum.