How can I disable Azure AD smart lockout

Krebs Andreas 0 Reputation points
2023-01-26T15:09:13.32+00:00

Our customer has the following problem:

They are using an Azure virtual desktop pool. They are accessing this pool by the Remote Desktop App on their client. In the Remote Desktop App, the users accessing their given remote apps. When they close and open their remote apps in short periods, the user account ist getting locked for 30 minutes. How this behaviour can be disabled?

The VDI pool is ADDS-joined and the users can be unlocked by using the "Active Directory Users and Computers". In the Azure Management Portal, the smart lockout für Windows Active Directory systems is disabled. But this doesn't do the trick.

I'll appreciate any help.

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,362 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,235 questions

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 41,916 Reputation points
    2023-01-26T15:27:59.7866667+00:00

    Hi,

    By default Smart Lockout is enabled on the Tenant and this is for security and prevent from stealing user creds from bad actors, if you are using hybrid setup with users sync to AAD I suggest you to review your Onprem policies and see if it is a mismatch .

    When using pass-through authentication, the following considerations apply:

    • The Azure AD lockout threshold is less than the AD DS account lockout threshold. Set the values so that the AD DS account lockout threshold is at least two or three times greater than the Azure AD lockout threshold.
    • The Azure AD lockout duration must be set longer than the AD DS account lockout duration. The Azure AD duration is set in seconds, while the AD duration is set in minutes.

    For example, if you want your Azure AD smart lockout duration to be higher than AD DS, then Azure AD would be 120 seconds (2 minutes) while your on-premises AD is set to 1 minute (60 seconds). If you want your Azure AD lockout threshold to be 5, then you want your on-premises AD lockout threshold to be 10. This configuration would ensure smart lockout prevents your on-premises AD accounts from being locked out by brute force attacks on your Azure AD accounts.

    Check this article and it should help you to figure out the policy settings.

    [https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments
  2. Krebs Andreas 0 Reputation points
    2023-01-30T10:02:47.4933333+00:00

    Hi @JimmySalian-2011
    Thank you for your response.

    We are managing users solely in AAD. We bought ADDS via Azure as an addition, because we need to use GPOs on our virtual azure servers.

    When i want to edit the "Default Domain Policy" according to https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout, the "Edit" option is greyed out. So it seems that only the AAD lockout policy counts.

    My password protection config on the azure tenant looks like this. (See image)
    User's image

    Here, I can not see something that matches the 30 minute lock outs. Probably I'm looking in the wrong direction?

    Many thanks for further support.

    0 comments
  3. Limitless Technology 43,931 Reputation points
    2023-02-01T11:19:31.0133333+00:00

    Hello there,

    To verify your on-premises AD DS account lockout policy, complete the following steps from a domain-joined system with administrator privileges:

    Open the Group Policy Management tool.

    Edit the group policy that includes your organization's account lockout policy, such as, the Default Domain Policy.

    Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.

    Verify your Account lockout threshold and Reset account lockout counter after values.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments
  4. Krebs Andreas 0 Reputation points
    2023-02-03T08:22:21.68+00:00

    Hi @Limitless Technology ,

    I did that already. I managed there to disable account lockouts, but it seems that the connection over the "Remote Desktop App" and the authentication to the vdi pool don't use this policy. Users are still getting locked out, if they connect to their vdi desktop in short periods.

    User's image

    any other ideas?

    0 comments
  5. deherman-MSFT 33,296 Reputation points Microsoft Employee
    2023-02-06T18:08:09.83+00:00

    @Krebs Andreas

    Sorry to hear that did not resolve your issue.
    To further troubleshoot this, we're going to enable a free, one time technical support ticket. Please email the following to AzCommunity@microsoft.com and we'll get back to you promptly:

    • Subject: "Attn: deherman - "

    • Email body: Your Subscription ID

    • Email body: A link to this thread so we can validate and expedite the request

    If you don't receive a response within 24 hours, please reply to the thread so we can investigate.

    0 comments