ADFS ESL finegrained password policy

Skip Hofmann 336 Reputation points


If using multiple finedgrained password policies, what should be the value for Extranetlockoutthreshold ? The default domain password policy is 10 failed attempts. However the finedgrained policies all have different values for failed logon attempts

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,581 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,964 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
992 questions
No comments
{count} votes

Accepted answer
  1. Limitless Technology 37,526 Reputation points

    Hi there,

    There is no definite value for it but it is strongly recommended that you set the ExtranetLockoutThreshold parameter value to a value that is less than the AD account lockout threshold. Failing to do so would result in AD FS being unable to protect accounts from being locked out in Active Directory.

    Once the threshold is reached, AD FS will immediately rejects the requests from extranet without attempting to contact the domain controller for authentication, no matter whether password is good or bad, until the extranet observation window is passed.

    An example of enabling Extranet Lockout feature with maximum of 15 number of bad password attempts and 30 mins soft-lockout duration is as follows:

    Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 15 -ExtranetObservationWindow (new-timespan -Minutes 30)

    --If the reply is helpful, please Upvote and Accept it as an answer--

0 additional answers

Sort by: Most helpful