Share via

Azure AD B2C – Clarification on MFA Lockout vs Password (Smart Lockout)

viswanadham paila 0 Reputation points
2026-03-30T11:26:23.0666667+00:00

Question:

We are implementing MFA using Azure AD B2C custom policies and reviewing the available lockout mechanisms.

From the documentation, we understand that Azure AD B2C provides Smart Lockout, which applies to incorrect username/password attempts.

However, we could not find any clear documentation regarding MFA lockout behavior.

Clarification Needed

Is it correct that Smart Lockout applies only to the first factor (username + password) and not to MFA?

For MFA scenarios (for example, OTP/email verification or other second-factor methods):

Does Azure AD B2C provide any built-in lockout mechanism for repeated incorrect MFA attempts?

If not, is the recommended approach to implement MFA lockout logic externally (e.g., via REST API or backend service) when using custom policies?

Context

We are using custom policies with a custom email OTP implementation (via REST API).

We want to confirm whether:

MFA lockout is handled by the platform

Or if it must be fully implemented as part of the custom solution

Any clarification or official guidance would be very helpful.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sridevi Machavarapu 30,275 Reputation points Microsoft External Staff Moderator
    2026-03-30T12:08:24.83+00:00

    Hello viswanadham paila,

    Your understanding is correct.

    Smart Lockout in Azure AD B2C applies only to username and password sign-ins. It protects against repeated incorrect password attempts and doesn’t apply to MFA. This is confirmed in Microsoft’s documentation: https://learn.microsoft.com/en-us/azure/active-directory-b2c/threat-management

    For MFA (email OTP, SMS, authenticator), there isn’t a built-in lockout for repeated failures. The platform doesn’t block users after multiple incorrect OTP attempts, and any limits you may see are usually session-based, not persistent.

    Since you’re using custom policies with a custom email OTP via REST API, the lockout logic needs to be handled on your side. Typically, this means tracking failed attempts, setting a limit, and temporarily blocking further attempts once that limit is reached.

    In short, password lockout is handled by the platform, but MFA lockout needs to be implemented in your custom solution.

    Was this answer helpful?

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.