This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 30%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVT%3C/text%3E%3C/svg%3E)
Hi @AmanpreetSingh-MSFT ,
I hope you must be doing well. I need your valuable input related to b2c password complexity.
I have gone through ms doc here but we have following add on requirements:
1) Repeated history length: User should not be allowed to repeat last 24 passwords while changing password.
2) Account Lockout: After 3 consecutive failed login attempts within 60 minutes, user account should be locked for "N" hours.
3) If an account is not accessed for 90 consecutive days, the account shall be disabled on 91st day and will be delete after 120 days of inactivity.
4) Increment previous passwords should not be allowed while changing password : If last password was P@$$WORD123 next password can not be P@$$WORD124, 125, 126 etc up to 10 increments.
5) Customize audit message when user enters wrong userid or password as "The User Id or Password that you have entered is not correct".
Do you know if we can customize above requirements in b2c custom policies?
Thanks,
Vikas Tiwari
Hi @Vikas Tiwari Please find my comments inline:
1) Repeated history length: User should not be allowed to repeat last 24 passwords while changing password.
As of now we do not support enforcing password history in B2C.
2) Account Lockout: After 3 consecutive failed login attempts within 60 minutes, user account should be locked for "N" hours.
This can be configured via Azure AD B2C > Authentication Methods > Password Protection.
3) If an account is not accessed for 90 consecutive days, the account shall be disabled on 91st day and will be delete after 120 days of inactivity.
To disable the account after 90 days of inactivity, you can refer to this sample: Disable and lockout an account after a time period. For deleting the accounts, you can create a PowerShell Script that checks **exentsion_lastLogonTime attribute and delete accounts where the value is >120 days.**
4) Increment previous passwords should not be allowed while changing password : If last password was P@$$WORD123 next password can not be P@$$WORD124, 125, 126 etc up to 10 increments.
This is not supported. Best you can do is, Enforce Banned password list via Azure AD B2C > Authentication Methods > Password Protection.
5) Customize audit message when user enters wrong userid or password as "The User Id or Password that you have entered is not correct".
You can use below localization string IDs for this purpose. Refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/localization-string-ids for more details,
<LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfClaimsPrincipalDoesNotExist">The User Id or Password that you have entered is not correct.</LocalizedString>
<LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfInvalidPassword">The User Id or Password that you have entered is not correct.</LocalizedString>
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
@AmanpreetSingh-MSFT Many Thanks for all inline details.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 44%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E2%3C/text%3E%3C/svg%3E)
@AmanpreetSingh-MSFT
We want to achieve below and already configured in our B2C tenant.
"Account Lockout: After 3 consecutive failed login attempts within 60 minutes, user account should be locked for "N" hours."
But this is not actually working. We are using custom policies, Do we need to configure in custom policies ?.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 64%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
Hi @AmanpreetSingh-MSFT ,
The Azure AD B2C > Authentication Methods > Password Protection > Custom banned password list is disabled. How can I enable this feature?
Regards,
Steven
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 4%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKD%3C/text%3E%3C/svg%3E)
In regard to 1st point above u have replied as not supported. I see it was almost a year ago so do we have any updates on this or road plan in future for the same.
Regards,
Deevan
Agreed. It is now October 2023. Any progress on this getting added as a feature?