Merge pull request #179777 from sjiang26/patch-9

Update threat-management.md

Author: PRMerger13

articles/active-directory-b2c/threat-management.md

@@ -14,10 +14,12 @@ ms.author: kengaderdus
 ms.subservice: B2C
 ---
 
-# Mitigate credential attacks in Azure AD B2C
+# Mitigate credential attacks in Azure AD B2C with smart lockout
 
 Credential attacks lead to unauthorized access to resources. Passwords that are set by users are required to be reasonably complex. Azure AD B2C has mitigation techniques in place for credential attacks. Mitigation includes detection of brute-force credential attacks and dictionary credential attacks. By using various signals, Azure Active Directory B2C (Azure AD B2C) analyzes the integrity of requests. Azure AD B2C is designed to intelligently differentiate intended users from hackers and botnets.
 
+## How smart lockout works
+
 Azure AD B2C uses a sophisticated strategy to lock accounts. The accounts are locked based on the IP of the request and the passwords entered. The duration of the lockout also increases based on the likelihood that it's an attack. After a password is tried 10 times unsuccessfully (the default attempt threshold), a one-minute lockout occurs. The next time a login is unsuccessful after the account is unlocked (that is, after the account has been automatically unlocked by the service once the lockout period expires), another one-minute lockout occurs and continues for each unsuccessful login. Entering the same, or similar password repeatedly doesn't count as multiple unsuccessful logins.
 
 > [!NOTE]
@@ -27,16 +29,16 @@ Azure AD B2C uses a sophisticated strategy to lock accounts. The accounts are lo
 
 The first 10 lockout periods are one minute long. The next 10 lockout periods are slightly longer and increase in duration after every 10 lockout periods. The lockout counter resets to zero after a successful login when the account isn’t locked. Lockout periods can last up to five hours. Users must wait for the lockout duration to expire. However, the user can unlock by using self-service [password user flow](add-password-reset-policy.md).
 
-## Manage password protection settings
+## Manage smart lockout settings
 
-To manage password protection settings, including the lockout threshold:
+To manage smart lockout settings, including the lockout threshold:
 
 1. Sign in to the [Azure portal](https://portal.azure.com)
 1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
 1. In the left menu, select **Azure AD B2C**. Or, select **All services** and search for and select **Azure AD B2C**.
 1. Under **Security**, select **Authentication methods (Preview)**, then select **Password protection**.
-1. Under **Custom smart lockout**, enter your desired password protection settings:
+1. Under **Custom smart lockout**, enter your desired smart lockout settings:
 
    - **Lockout threshold**: The number of failed sign-in tries that are allowed before the account is first locked out. If the first sign-in after a lockout also fails, the account locks again.
    - **Lockout duration in seconds**: The minimum duration of each lockout in seconds. If an account locks repeatedly, this duration increases.
@@ -46,7 +48,7 @@ To manage password protection settings, including the lockout threshold:
 
 1. Select **Save**.
 
-## Testing the password protection settings
+## Testing smart lockout
 
 The smart lockout feature uses many factors to determine when an account should be locked, but the primary factor is the password pattern. The smart lockout feature considers slight variations of a password as a set, and they’re counted as a single try. For example: