question

MauricioOrihuela-7248 avatar image
0 Votes"
MauricioOrihuela-7248 asked schalkvanwyk commented

B2C account is not locking properly

hi,

I have implemented B2C which a locks out after 5 attempts for 15 minutes.
After intentionally locking the account and verifying the account is locked in azure "sign-ins" logs with an error 50053(account locked). I can log in on the 2nd try with the correct password way before the 15 minutes

I found another post that mentions the same issue but there is no solution

https://social.msdn.microsoft.com/Forums/en-US/ea917a58-cdba-412d-a24d-1e4d1b90f17a/b2c-account-locking-is-not-working-properly?forum=AzureSecurityCenter

azure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered schalkvanwyk commented

Hi @MauricioOrihuela-7248 · Thank you for reaching out.

Azure AD B2C uses Smart Lockout, which is different than the traditional account lockout.

When smart lockout locks a user account, we try our best to not lock out the genuine user. However, using smart lockout doesn't guarantee that a genuine user is never locked out. The lockout service attempts to ensure that bad actors can't gain access to a genuine user account. Below considerations are applied:

  1. Each Azure AD data center tracks lockout independently. A user has (threshold_limit * datacenter_count) number of attempts, if the user hits each data center.

  2. Smart Lockout uses familiar location vs unfamiliar location to differentiate between a bad actor and the genuine user. Unfamiliar and familiar locations both have separate lockout counters.

This makes testing smart lockout a bit difficult and it is not as straight forward as the traditional account lockout testing.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

So do we accept that account lockout just works? How does one ensure that there is no mistake in say a custom policy that will prevent the account from being locked?

Further, I've seen scenarios where the account lockout message is being displayed, then when one enters another incorrect attempt you get the password is incorrect error for a certain number of tries, then after say 2 incorrect tries one again gets the account lockout message. It seems inconsistent and one never gets the account lockout continuously after repeated attempts.

The client (company using B2C) is expecting the user account to be locked-out so no further attempts can be made against that account. How doe one relay the message to the client that the product is safe?

0 Votes 0 ·