question

Tim-3422 avatar image
0 Votes"
Tim-3422 asked sikumars commented

Smart Lock keeps locking users on my Synology NAS?!

Hello,

Azure Smart Lock keeps locking AzureAD users for some reason and I can't for the world find out why.

Setup:
We are running a Synology NAS. This NAS is connected to Azure through a VPN Gateway. This way we can sign-in on the NAS using a WebDAV service and authentication through Office365 (email). To access the files on the NAS we use a third party application RaiDrive where the user can login with their email and password.

Since we enabled the "change your password every 30 days" policy in O365 the issues began to rise. Users are getting locked out of their accounts and the NAS also states the account is on LOCKOUT state.

Upon investigating on the web I found out about Smart Lock. I've set the timer to 60s and failed login tries to 30 with no result. Users keep getting locked out, even while doing nothing. I've already contacted Synology Support but they told me there is no lock option in the NAS that could cause this, it's from Microsoft.

Just to be clear, we are not running a hybrid AD, it's only AzureAD.

Anybody familiar with this problem? Changing the Smart Lock settings doesnt change anything, user keeps getting locked out for hours and I'm not even able to UNLOCK it from an administrator perspective. This is crazy....

All help is greatly appreciated.

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

sikumars avatar image
0 Votes"
sikumars answered sikumars commented

Hello @Tim-3422,

Thanks for reaching out and apologize for inconvenience caused.

Currently, it is not possible for administrators to unlock the users' cloud accounts if they have been locked out by the Smart Lockout capability. The administrator must wait for the lockout duration to expire. However, the user can unlock by using the self-service password reset (SSPR) from a trusted device or location (https://aka.ms/SSPR).

However, in this case I would strongly recommend you to use Azure AD Sign-ins logs which provided more insight and might help you with finding where exactly the lockouts where occurring rather than just unlocking users account, see below screenshot for your reference:

90747-image.png

Because, using smart lockout doesn't guarantee that a genuine user is never locked out. When smart lockout locks a user account, we try our best to not lock out the genuine user. The lockout service attempts to ensure that bad actors can't gain access to a genuine user account. The following considerations apply:

  • Each Azure AD data center tracks lockout independently. A user has (threshold_limit * datacenter_count) number of attempts, if the user hits each data center.

  • Smart Lockout uses familiar location vs unfamiliar location to differentiate between a bad actor and the genuine user. Unfamiliar and familiar locations both have separate lockout counters.

More information : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (137.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Tim-3422,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,

0 Votes 0 ·