Is there a way to configure account lock-in Azure AD B2C?
As of my research, I was able to find out that azure locks the account after 10 unsuccessful login attempts and locks it for 60 seconds. But I want to configure the number of attempts to 5, the account to be locked forever and won't display a message to the user to call our customer care or follow certain steps to get the account unlocked. I want a graph API call to unlock the clocked account.
Any pointers in this regard will be helpful.
Thanks in advance
I don't believe you can configure this lockout information using either the Azure Portal or the Azure AD Graph API.
(I wish, in future, Azure AD B2C allows customization of the smart lockout values that are supported by Azure AD.)
Related
I am using AzureAD. And I am implementing MFA.
I know that if the user ID and password login fails a certain number of times, it locks me out.
However, repeated failures in MFA after passing user ID and password authentication will not lock out the user.
Repeated failures on the MFA screen will return you to the initial login screen.
Is this a specification?
If it is possible to lock out even with MFA, please let me know how.
Yes, lockout feature is available in Azure AD MFA. Please note that this feature is applied only when the users use PIN code for the MFA prompt.
In order to configure this feature, you need administrator role.
Based on the number of failure trials you provided in settings, account lockout happens respectively.
To configure this feature, please follow below steps:
Go to Azure Portal -> Azure Active Directory -> Security -> Multifactor authentication -> Account lockout
In the above fields, enter the number based on your requirement and Save.
Like this, you can configure lockout feature in Azure AD MFA.
Make sure to use PIN for MFA authentication.
Complete credits to below Microsoft Doc:
Configure Azure AD Multi-Factor Authentication - Azure Active Directory - Microsoft Entra | Microsoft Docs
I am using the Azure AD B2C authentication for Angular SPA. For some reason the login takes around 10 secs to load, when I check the browser dev tool there are 2 request which take most of the time. Is there a way to optimize this load time.
Open Id configuration endpoint - 3sec
Authorize endpoint - 6sec
Dev tools screen
Please note that event if Azure AD B2C is considered as global service in the Azure cloud, users' data is stored in the specific region that you select during Azure AD B2C tenant creation.
Here is presented how it works - directory store is hosted under the region you specified for the Azure AD B2C tenant:
Additional latency is only encountered when the user has performed an authentication in a different region from which they had signed-up in. This is because, calls will be made across regions to reach the Directory Store where their profile lives to complete their authentication.
To solve the problem with multiple regions and reduce the time, you can check Azure Active Directory B2C global identity framework.
Above information is included in it. Hope this clarifies a bit.
We are testing MFA on Azure AD B2C using the sample found here: https://github.com/azure-ad-b2c/samples/tree/master/policies/mfa-unknown-devices
We know it can be done via the Azure Portal, but it is not an option for us to give customers access to our tenant (customer self service).
Previous posts pointed me to wait for an update from Graph API, and we are playing with the beta now: https://learn.microsoft.com/en-us/graph/api/resources/authenticationmethods-overview?view=graph-rest-beta
Running Get authenticationMethod only shows Azure AD B2C users with MFA enabled as having password authentication, no phone number.
Anyone been able to get the beta Graph API working with Azure AD B2C MFA or come up with a workaround clearing/updating phone numbers?
Since Graph API does not appear to be the answer, we were able to find a sample Azure AD B2C custom policy that allows a user to edit their phone number. To get a "reset" functionality, we added a check for a claim that would designate the user needs to reenroll in MFA and then trigger this workflow.
https://github.com/azure-ad-b2c/samples/tree/master/policies/edit-mfa-phone-number
MS Graph API does not support this operation for B2C. Please go through MSDN documentation which can give you more information about Microsoft Graph operations available for Azure AD B2C.
I'm trying to determine if Azure Smart Lockout features are now available for B2C as of today? I've found older documents discussing it, but I'm unable to find any official word if it is now available. In the B2C tenant, under AD, Authentication methods is showing and you can open it up. However, it says its in Preview and everything greyed out. Does this mean that it will be available in B2C soon to be able to control lockout parameters? Azure Smart Lockout documentation states that Smart Lockout will require minimum of AD Basic or high account to function. Does anyone know if the B2C tenant will require its own lic or will a lic in the base subscription cover it?
Thx
If you are referring to Azure AD smart lockout being available for the local accounts in an Azure AD B2C tenant, then currently this isn't available.
Also note, the Azure AD Basic and Premium licenses aren't applicable to an Azure AD B2C tenant (in fact, the "Licenses" menu should be disabled).
Similar functionality to "smart lockout" is available in a B2C tenant, but isn't (yet) customisable.
Screenshot below of testing getting locked out after entering the password incorrectly 10 times (the default setting).
According to Microsoft docs (https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-threat-management)
Azure AD B2C uses a sophisticated strategy to lock accounts. The accounts are locked based on the IP of the request and the passwords entered. The duration of the lockout also increases based on the likelihood that it's an attack. After a password is tried 10 times unsuccessfully, a one-minute lockout occurs.
[cut]
Currently, you can't:
Trigger a lockout with fewer than 10 failed logins
Retrieve a list of locked out accounts
Configure the lock out policy
Azure Smart Lockout features are available for B2C. See this article for details.
I wasn't able to save those values for some of my B2C tenants from Azure portal, but i was able to change Lockout threshold and lockout duration using Graph API using instructions from this post.
When using Azure AD B2C, with local accounts and email address as the username, is there any mechanism to:
Identify that an account is locked via API or the Azure portal
Manually unlock that account ahead of the lock expiry time, e.g. via portal/API
Identify the time at which a lock will expire, again via API or portal. For example, you may wish to advise a customer to retry after a certain time
Thanks in advance
I don't believe you can access this lockout information using either the Azure Portal or the Azure AD Graph API.
Currently, as far as I know, a local account is locked from any new sign-ins for one minute after ten failed password sign-ins. The local account lockout is extended, after each subsequent failed password sign-in, for one minute initially and then longer subsequently.
A directory administrator can't unlock the a local account. They must wait for the lockout duration to expire.