Azure AD Custom Smart lockout

Question

Azure AD Custom Smart lockout

Anonymous

AAD-Security-smart-lockout

Does the Custom smart lockout function lockout the Windows account if it exceed the lockout threshold (after the user had successfully created the profile in the Windows 10 machine). I tried applying it onto my AAD, it doesn't lockout the Windows account but it does lockout the user when user attempts to sign in to e.g. OneDrive etc.

Sandeep G-MSFT 21,151 Reputation points Microsoft Employee Moderator

2023-03-27T08:52:06.6+00:00

@Anonymous

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.
JamesTran-MSFT 37,251 Reputation points Microsoft Employee Moderator

2023-03-31T18:04:24.6633333+00:00

@Anonymous

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

2 answers

Your answer

Sandeep G-MSFT 21,151 Reputation points Microsoft Employee Moderator

2023-03-27T08:52:06.6+00:00

@Anonymous

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.
JamesTran-MSFT 37,251 Reputation points Microsoft Employee Moderator

2023-03-31T18:04:24.6633333+00:00

@Anonymous

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

@Anonymous

When the user is locked out or disabled or deleted from Azure AD, this user can still login to Azure AD joined device only for a limited time. When a user is deleted or disabled or locked in Azure AD, it's not immediately known to the Windows device. So, users who signed in previously can access the desktop with the cached username and password.

Typically, the device is aware of the user state in less than four hours. Then Windows blocks those users' access to the desktop. As the user is deleted or disabled in Azure AD, all their tokens are revoked. So they can't access any resources.

Deleted or disabled users who didn't sign in previously can't access a device. There's no cached username and password enabled for them.

You can also refer to below article to get more information on this,

https://learn.microsoft.com/en-us/azure/active-directory/devices/faq#can-a-disabled-or-deleted-user-sign-in-to-an-azure-ad-joined-device

Let me know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Anonymous

2023-03-27T09:56:59.0433333+00:00

Thank you very much.
Sandeep G-MSFT 21,151 Reputation points Microsoft Employee Moderator

2023-03-27T10:05:35.5933333+00:00

@Anonymous

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

Answer 2

Vasil Michev 126.4K MVP Volunteer Moderator

Generally speaking, it does not, as it only applies to access to cloud resources. Use the corresponding controls in AD if you want to enforce a smart lockout in your on-premises environment.

The exception is when you are using pass-trough authentication, as authentication "touches" both Azure AD and on-premises servers, thus both the cloud and on-premises policies apply. You still need to have the on-premises policy configured if you want to enforce the account lock. Details are here: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout#how-smart-lockout-works

Anonymous

2023-03-21T09:46:50.2133333+00:00

I do not have on-prem ad. I am trying to enforce windows account locking out after number of attempts. My guess is that I have to use Windows Hello then.
Vasil Michev 126.4K Reputation points MVP Volunteer Moderator

2023-03-21T10:14:06.8633333+00:00

You can still enforce it by toggling the corresponding controls under the Local Security Policy.

Why do you have the last two settings toggled on the screenshot above though, if you don't have on-premises AD? Or is this just a sample screenshot?
Anonymous

2023-03-22T01:11:18.14+00:00

That was from the Azure AD, not from on-prem. I was trying to find out if I can enforce windows lockout on AAD joined devices. Or those enrolled into Intune.
Anonymous

2023-03-22T01:45:53.07+00:00

I was trying to find ways to enforce Windows account lockout after a certain threshold. I thought the custom Smart lockout in the AAD would let me do this but it didn't. The screenshot shown was from my AAD.

Share via

Azure AD Custom Smart lockout

2 answers

Your answer