question

VikasTiwari-2263 avatar image
0 Votes"
VikasTiwari-2263 asked KumarDeevan-8751 answered

B2C custom policies password requirements

Hi @amanpreetsingh-msft,

I hope you must be doing well. I need your valuable input related to b2c password complexity.
I have gone through ms doc here but we have following add on requirements:

1) Repeated history length: User should not be allowed to repeat last 24 passwords while changing password.

2) Account Lockout: After 3 consecutive failed login attempts within 60 minutes, user account should be locked for "N" hours.

3) If an account is not accessed for 90 consecutive days, the account shall be disabled on 91st day and will be delete after 120 days of inactivity.

4) Increment previous passwords should not be allowed while changing password : If last password was P@$$WORD123 next password can not be P@$$WORD124, 125, 126 etc up to 10 increments.

5) Customize audit message when user enters wrong userid or password as "The User Id or Password that you have entered is not correct".


Do you know if we can customize above requirements in b2c custom policies?

Thanks,
Vikas Tiwari


azure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered 76701045 edited

Hi @VikasTiwari-2263 Please find my comments inline:

1) Repeated history length: User should not be allowed to repeat last 24 passwords while changing password.

As of now we do not support enforcing password history in B2C.

2) Account Lockout: After 3 consecutive failed login attempts within 60 minutes, user account should be locked for "N" hours.

This can be configured via Azure AD B2C > Authentication Methods > Password Protection.

3) If an account is not accessed for 90 consecutive days, the account shall be disabled on 91st day and will be delete after 120 days of inactivity.

To disable the account after 90 days of inactivity, you can refer to this sample: Disable and lockout an account after a time period. For deleting the accounts, you can create a PowerShell Script that checks exentsion_lastLogonTime attribute and delete accounts where the value is >120 days.

4) Increment previous passwords should not be allowed while changing password : If last password was P@$$WORD123 next password can not be P@$$WORD124, 125, 126 etc up to 10 increments.

This is not supported. Best you can do is, Enforce Banned password list via Azure AD B2C > Authentication Methods > Password Protection.

5) Customize audit message when user enters wrong userid or password as "The User Id or Password that you have entered is not correct".

You can use below localization string IDs for this purpose. Refer to https://docs.microsoft.com/en-us/azure/active-directory-b2c/localization-string-ids for more details,

 <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfClaimsPrincipalDoesNotExist">The User Id or Password that you have entered is not correct.</LocalizedString>
 <LocalizedString ElementType="ErrorMessage" StringId="UserMessageIfInvalidPassword">The User Id or Password that you have entered is not correct.</LocalizedString>


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft Many Thanks for all inline details.

0 Votes 0 ·

@amanpreetsingh-msft
We want to achieve below and already configured in our B2C tenant.
"Account Lockout: After 3 consecutive failed login attempts within 60 minutes, user account should be locked for "N" hours."

But this is not actually working. We are using custom policies, Do we need to configure in custom policies ?.
![96388-image.png][1]
[1]: /answers/storage/attachments/96388-image.png

0 Votes 0 ·
image.png (4.5 KiB)
KumarDeevan-8751 avatar image
0 Votes"
KumarDeevan-8751 answered

Hi @amanpreetsingh-msft

In regard to 1st point above u have replied as not supported. I see it was almost a year ago so do we have any updates on this or road plan in future for the same.

Regards,
Deevan

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.