Azure AD Custom Smart lockout

BrightLight 0 Reputation points
2023-03-21T08:47:56.33+00:00

AAD-Security-smart-lockout

Does the Custom smart lockout function lockout the Windows account if it exceed the lockout threshold (after the user had successfully created the profile in the Windows 10 machine). I tried applying it onto my AAD, it doesn't lockout the Windows account but it does lockout the user when user attempts to sign in to e.g. OneDrive etc.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 95,836 Reputation points MVP
    2023-03-21T09:16:40.1633333+00:00

    Generally speaking, it does not, as it only applies to access to cloud resources. Use the corresponding controls in AD if you want to enforce a smart lockout in your on-premises environment.

    The exception is when you are using pass-trough authentication, as authentication "touches" both Azure AD and on-premises servers, thus both the cloud and on-premises policies apply. You still need to have the on-premises policy configured if you want to enforce the account lock. Details are here: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout#how-smart-lockout-works

  2. Sandeep G-MSFT 14,806 Reputation points Microsoft Employee
    2023-03-26T05:49:37.51+00:00

    @BrightLight

    When the user is locked out or disabled or deleted from Azure AD, this user can still login to Azure AD joined device only for a limited time. When a user is deleted or disabled or locked in Azure AD, it's not immediately known to the Windows device. So, users who signed in previously can access the desktop with the cached username and password.

    Typically, the device is aware of the user state in less than four hours. Then Windows blocks those users' access to the desktop. As the user is deleted or disabled in Azure AD, all their tokens are revoked. So they can't access any resources.

    Deleted or disabled users who didn't sign in previously can't access a device. There's no cached username and password enabled for them.

    You can also refer to below article to get more information on this,

    https://learn.microsoft.com/en-us/azure/active-directory/devices/faq#can-a-disabled-or-deleted-user-sign-in-to-an-azure-ad-joined-device

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.