Share via

Smart Lock keeps locking users on my Synology NAS?!

Tim 21 Reputation points
2021-04-09T07:56:54.813+00:00

Hello,

Azure Smart Lock keeps locking AzureAD users for some reason and I can't for the world find out why.

Setup:
We are running a Synology NAS. This NAS is connected to Azure through a VPN Gateway. This way we can sign-in on the NAS using a WebDAV service and authentication through Office365 (email). To access the files on the NAS we use a third party application RaiDrive where the user can login with their email and password.

Since we enabled the "change your password every 30 days" policy in O365 the issues began to rise. Users are getting locked out of their accounts and the NAS also states the account is on LOCKOUT state.

Upon investigating on the web I found out about Smart Lock. I've set the timer to 60s and failed login tries to 30 with no result. Users keep getting locked out, even while doing nothing. I've already contacted Synology Support but they told me there is no lock option in the NAS that could cause this, it's from Microsoft.

Just to be clear, we are not running a hybrid AD, it's only AzureAD.

Anybody familiar with this problem? Changing the Smart Lock settings doesnt change anything, user keeps getting locked out for hours and I'm not even able to UNLOCK it from an administrator perspective. This is crazy....

All help is greatly appreciated.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. Siva-kumar-selvaraj 15,731 Reputation points Volunteer Moderator
    2021-04-23T17:01:14.633+00:00

    Hello @Tim-3422,

    Thanks for reaching out and apologize for inconvenience caused.

    Currently, it is not possible for administrators to unlock the users' cloud accounts if they have been locked out by the Smart Lockout capability. The administrator must wait for the lockout duration to expire. However, the user can unlock by using the self-service password reset (SSPR) from a trusted device or location (https://aka.ms/SSPR).

    However, in this case I would strongly recommend you to use Azure AD Sign-ins logs which provided more insight and might help you with finding where exactly the lockouts where occurring rather than just unlocking users account, see below screenshot for your reference:

    90747-image.png

    Because, using smart lockout doesn't guarantee that a genuine user is never locked out. When smart lockout locks a user account, we try our best to not lock out the genuine user. The lockout service attempts to ensure that bad actors can't gain access to a genuine user account. The following considerations apply:

    • Each Azure AD data center tracks lockout independently. A user has (threshold_limit * datacenter_count) number of attempts, if the user hits each data center.
    • Smart Lockout uses familiar location vs unfamiliar location to differentiate between a bad actor and the genuine user. Unfamiliar and familiar locations both have separate lockout counters.

    More information : https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout

    Hope this helps.

    --------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.