ADFS ESL finegrained password policy

Skip Hofmann 341 Reputation points


If using multiple finedgrained password policies, what should be the value for Extranetlockoutthreshold ? The default domain password policy is 10 failed attempts. However the finedgrained policies all have different values for failed logon attempts

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,798 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,184 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,290 questions
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 39,331 Reputation points

    Hi there,

    There is no definite value for it but it is strongly recommended that you set the ExtranetLockoutThreshold parameter value to a value that is less than the AD account lockout threshold. Failing to do so would result in AD FS being unable to protect accounts from being locked out in Active Directory.

    Once the threshold is reached, AD FS will immediately rejects the requests from extranet without attempting to contact the domain controller for authentication, no matter whether password is good or bad, until the extranet observation window is passed.

    An example of enabling Extranet Lockout feature with maximum of 15 number of bad password attempts and 30 mins soft-lockout duration is as follows:

    Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 15 -ExtranetObservationWindow (new-timespan -Minutes 30)

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

0 additional answers

Sort by: Most helpful