How to handle failed logins within B2C custom policy?

Martha Taylor 0 Reputation points
2023-08-18T11:15:00.27+00:00

Hi,

I would like to implement an account locking and forced password reset custom policy within Azure B2C.

The client requirement is that after 3 failed login attempts the user account is locked, and once they successfully login after this lock they will be forced to reset their password. If they then fail to login another 3 times with the new password, their account will be disabled and can only be re-enabled by a super user.

To implement this I have created two custom attributes within B2C that correspond to failed login attempts and failed grace login attempts. The issue I am having is that I cannot find a way to track the failed login attempts within the custom policy to be able to increment these custom attributes by 1 each time a login attempt fails. Is this functionality possible within B2C custom policies?

I am aware of the alternative option of using the built-in Smart Locking feature, however this does not allow me to disable a user permanently for only a super-user to re-enable, and also doesn't allow me to force a password reset after a certain number of failed logins.

Any advice would be very welcome, as I cannot tell from documentation whether the count functionality I require is possible when using custom policies.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,266 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 17,761 Reputation points Microsoft Employee
    2023-08-22T13:50:48.3966667+00:00

    @Martha Taylor

    Thank you for posting your query on Microsoft Q&A. I am reviewing this and will get back to you with further inputs.

    Update1:

    Thanks for you time and patience. At this point in time we don't have any sample custom policy to replicate above scenario. However you may use Smart Lockout to block user for some time if the incorrect password is entered multiple times.

    Azure portal Password protection page in Azure AD settings

    Entering the same, or similar password repeatedly doesn't count as multiple unsuccessful logins.

    I would recommend to keep the Lockout duration for atleast 1 min (60 seconds).

    For ideal testing scenario kindly try : https://learn.microsoft.com/en-us/azure/active-directory-b2c/threat-management#testing-smart-lockout.

    Thanks,

    Akshay Kaushik

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.