Azure Ad B2C - Ms Graph - user lock/unlock - Enable/Disable

Question

Hi,

I'm implementing an API for AzureAd B2C user management.
on My requirements the API needs operation to Enable/disable user and also lock/unlock.

I'm already able to Enable/disable via MsGraph by setting AccountEnabled=true/false.
Is there an attribute for account lock/unlock?

when the user exceeds the limit of wrong password will then be disabled or locked?
what about smart lockout? does it affects a specific attribute I can read/set?

Thanks,
JD

Answer 1

@juni dev

There is no account lockout concept in a complete Managed Domain scenario, i.e in case you have your all cloud users, then AAD, is the authority that handles your authentication. In this case, there is nothing called Account Lockout. If a cloud only user makes bad password attempts, the Smart Lockout feature engages and forbades the user from making further attempt to login. It governs the lockdown period based on its algorithm.

When the account gets locked, it means the account is blocked from signing. Once we toggle Block sign in option to 'Yes', it basically changes the value of AccountEnabled attribute to False. You can check this via Graph API (https://developer.microsoft.com/en-us/graph/graph-explorer)

1. Login to graph explorer with Global Admin account by clicking on "Sign in with Microsoft" button.
2. Make a GET call > https://graph.microsoft.com/beta/users/USERNAME@YOUR_TENANT.onmicrosoft.com?$select=accountEnabled
3. If you want to fetch this information about all users in your tenant, use > https://graph.microsoft.com/beta/users?$select=displayname,accountEnabled

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.