Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,687 questions
CAPTCHA to the login flow using custom policies
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 9%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Ricardo Saldanha Reis
0
Reputation points
Hi everyone,
I followed this documentation to add CAPTCHA to the login flow using custom policies: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-captcha?pivots=b2c-custom-policy
It works at first, but after three failed login attempts, the CAPTCHA disappears. The user can keep trying to log in without seeing the CAPTCHA again.
When the CAPTCHA returns the errorCode "ExceededMaxVerifyRetries", what should I do to stop the user from continuing?
Thanks for any help!
Microsoft Entra ID
{count} votes
-
Ricardo Saldanha Reis 0 Reputation points
2025-04-16T15:52:37.09+00:00 In additional, I dont do two steps: Enable CAPTCHA in MFA flow and Enable CAPTCHA feature flag
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 82%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVD%3C/text%3E%3C/svg%3E)
Vigneshwar Duvva 880 Reputation points Microsoft External Staff Moderator2025-04-17T23:29:51.48+00:00 Hello Ricardo Saldanha Reis
The "ExceededMaxVerifyRetries" error typically indicates that you've triggered the CAPTCHA system's maximum number of verification attempts in a short period. This can happen due to various reasons, such as rapid browsing behavior or using an IP address flagged for suspicious activities.
Clearing your browser's cache and cookies can sometimes resolve issues caused by outdated data.
Hope this helps. Do let us know if you have any further queries
-
Vigneshwar Duvva 880 Reputation points Microsoft External Staff Moderator
2025-04-18T17:44:22.19+00:00 Hello Ricardo Saldanha Reis
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back
-
Vigneshwar Duvva 880 Reputation points Microsoft External Staff Moderator
2025-04-21T19:14:33.8066667+00:00 Hello Ricardo Saldanha Reis
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 2,356 Reputation points Microsoft External Staff Moderator2025-04-23T08:24:49.5233333+00:00 Hello @Ricardo Saldanha Reis, To handle the issue where the CAPTCHA disappears after three failed login attempts and the user can continue trying to sign in, you need to explicitly handle the
ExceededMaxVerifyRetrieserror code in your custom policy.You're using Azure AD B2C custom policies with reCAPTCHA as described in the Microsoft documentation: https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-captcha?pivots=b2c-custom-policy
After a few failed CAPTCHA attempts, the
reCAPTCHAresponse returns:"errorCode": "ExceededMaxVerifyRetries"At this point, the CAPTCHA no longer appears, and the user can keep trying to log in without restriction. This happens because your custom policy doesn't include logic to handle the
ExceededMaxVerifyRetrieserror. Without explicit handling, the journey continues as normal, and the CAPTCHA step is skipped.You need to:
- Intercept the
ExceededMaxVerifyRetrieserror. - Stop the user journey or show a friendly error message.
- Optionally, redirect the user to a custom error page or introduce a cooldown.
To do it, define a Predicate to Match the Error Code and add a Precondition to Handle the Error, Define the
Show-CaptchaExceeded-Errortechnical profile to present a message to the user.Once implemented, if a user exceeds the CAPTCHA retry limit, they'll be blocked from continuing and shown an error message, effectively preventing abuse and improving security.
Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
If any other further queries - feel free to reach out!
- Intercept the
-
Rukmini 2,356 Reputation points Microsoft External Staff Moderator
2025-04-24T06:02:33.7+00:00 @Ricardo Saldanha Reis, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
-
Rukmini 2,356 Reputation points Microsoft External Staff Moderator
2025-04-25T03:18:54.4+00:00 @Ricardo Saldanha Reis, We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
Sign in to comment
Sign in to answer