question

adam900331-4783 avatar image
0 Votes"
adam900331-4783 asked sikumars rolled back

On-Premise AD account lockout in PHS

Hy!

I have an on-premise AD with many users. I have an M365 subscription and use the hybrid identity with PHS. How handle the account lockout in hybrid? If users lockout in on-premise AD with failed login, will it synch to Azure AD? What happen when users lock out in AzureAD? Will it impact for on-premise AD login? How works it in this scenario? Is the lockout policy different in Azure AD then the on-premise AD?

Thanks.

azure-active-directorywindows-active-directoryazure-ad-hybrid-identity
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@adam900331-4783 ,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

0 Votes 0 ·

1 Answer

sikumars avatar image
0 Votes"
sikumars answered sikumars rolled back

Hello @adam900331-4783 ,

Thanks for reaching out and apologies for the delayed response.

Yes, the lockout policy different in Azure AD then the on-premises AD. By default, smart lockout locks the account that are created and managed directly (for an example: Password Hash synchronized users) in Azure AD from sign-in attempts for one minute after 10 failed attempts for Azure Public and Azure China 21Vianet tenants and 3 for Azure US Government tenants.

Similarly, if users are locked out of their synchronized accounts through AAD smart lockout, this has no effect on their on-premises accounts.

For instance, if users are locked out of on-premises AD due to failed login attempts, but their synchronized (PHS) accounts continue to sign-in if the user enters valid credentials, but attempts to sign-in to Azure AD with an incorrect password, the user's account will be locked out using AAD's smart lockout feature.

To learn more about, refer how to protect user accounts from attacks with Azure Active Directory smart lockout. Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.