On-Premise AD account lockout in PHS

adam900331 366 Reputation points
2022-04-08T06:57:44.3+00:00

Hy!

I have an on-premise AD with many users. I have an M365 subscription and use the hybrid identity with PHS. How handle the account lockout in hybrid? If users lockout in on-premise AD with failed login, will it synch to Azure AD? What happen when users lock out in AzureAD? Will it impact for on-premise AD login? How works it in this scenario? Is the lockout policy different in Azure AD then the on-premise AD?

Thanks.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,095 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,187 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,591 Reputation points
    2022-04-12T21:35:26.353+00:00

    Hello @adam900331 ,

    Thanks for reaching out and apologies for the delayed response.

    Yes, the lockout policy different in Azure AD then the on-premises AD. By default, smart lockout locks the account that are created and managed directly (for an example: Password Hash synchronized users) in Azure AD from sign-in attempts for one minute after 10 failed attempts for Azure Public and Azure China 21Vianet tenants and 3 for Azure US Government tenants.

    Similarly, if users are locked out of their synchronized accounts through AAD smart lockout, this has no effect on their on-premises accounts.

    For instance, if users are locked out of on-premises AD due to failed login attempts, but their synchronized (PHS) accounts continue to sign-in if the user enters valid credentials, but attempts to sign-in to Azure AD with an incorrect password, the user's account will be locked out using AAD's smart lockout feature.

    To learn more about, refer how to protect user accounts from attacks with Azure Active Directory smart lockout. Hope this helps.

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments