You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/howto-password-smart-lockout.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,14 +28,14 @@ Smart lockout tracks the last three bad password hashes to avoid incrementing th
28
28
> [!NOTE]
29
29
> Hash tracking functionality isn't available for customers with pass-through authentication enabled as authentication happens on-premises not in the cloud.
30
30
31
-
Federated deployments that use AD FS 2016 and AD FS 2019 can enable similar benefits using [AD FS Extranet Lockout and Extranet Smart Lockout](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection).
31
+
Federated deployments that use AD FS 2016 and AD FS 2019 can enable similar benefits using [AD FS Extranet Lockout and Extranet Smart Lockout](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection). It is recommended to move to [managed authentication](https://www.microsoft.com/security/business/identity-access/upgrade-adfs).
32
32
33
33
Smart lockout is always on, for all Azure AD customers, with these default settings that offer the right mix of security and usability. Customization of the smart lockout settings, with values specific to your organization, requires Azure AD Premium P1 or higher licenses for your users.
34
34
35
35
Using smart lockout doesn't guarantee that a genuine user is never locked out. When smart lockout locks a user account, we try our best to not lock out the genuine user. The lockout service attempts to ensure that bad actors can't gain access to a genuine user account. The following considerations apply:
36
36
37
-
* Lockout state across Azure AD data centers are synchronized. The total number of failed sign-in attempts allowed before an account is locked out will also match the configured lockout threshold though there still may be some slight variance before a lockout. Once an account is locked out, they will be locked out everywhere across all Azure AD data centers.
38
-
* Smart Lockout uses familiar location vs unfamiliar location to differentiate between a bad actor and the genuine user. Unfamiliar and familiar locations both have separate lockout counters.
37
+
* Lockout state across Azure AD data centers is synchronized. However, the total number of failed sign-in attempts allowed before an account is locked out will have slight variance from the configured lockout threshold. Once an account is locked out, it will be locked out everywhere across all Azure AD data centers.
38
+
* Smart Lockout uses familiar location vs unfamiliar location to differentiate between a bad actor and the genuine user. Both unfamiliar and familiar locations have separate lockout counters.
39
39
40
40
Smart lockout can be integrated with hybrid deployments that use password hash sync or pass-through authentication to protect on-premises Active Directory Domain Services (AD DS) accounts from being locked out by attackers. By setting smart lockout policies in Azure AD appropriately, attacks can be filtered out before they reach on-premises AD DS.
41
41
@@ -66,7 +66,7 @@ Based on your organizational requirements, you can customize the Azure AD smart
66
66
67
67
To check or modify the smart lockout values for your organization, complete the following steps:
68
68
69
-
1. Sign in to the [Azure portal](https://portal.azure.com).
69
+
1. Sign in to the [Entra portal](https://entra.microsoft.com/#home).
70
70
1. Search for and select *Azure Active Directory*, then select **Security** > **Authentication methods** > **Password protection**.
71
71
1. Set the **Lockout threshold**, based on how many failed sign-ins are allowed on an account before its first lockout.
72
72
@@ -87,7 +87,7 @@ When the smart lockout threshold is triggered, you will get the following messag
87
87
88
88
*Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin.*
89
89
90
-
When you test smart lockout, your sign-in requests might be handled by different datacenters due to the geo-distributed and load-balanced nature of the Azure AD authentication service. In that scenario, because each Azure AD datacenter tracks lockout independently, it might take more than your defined lockout threshold number of attempts to cause a lockout. A user has a maximum of (*threshold_limit * datacenter_count*) number of bad attempts before being completely locked out.
90
+
When you test smart lockout, your sign-in requests might be handled by different datacenters due to the geo-distributed and load-balanced nature of the Azure AD authentication service.
91
91
92
92
Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior won't cause the account to lock out.
93
93
@@ -97,6 +97,6 @@ In addition to Smart lockout, Azure AD also protects against attacks by analyzin
97
97
98
98
## Next steps
99
99
100
-
To customize the experience further, you can [configure custom banned passwords for Azure AD password protection](tutorial-configure-custom-password-protection.md).
100
+
-To customize the experience further, you can [configure custom banned passwords for Azure AD password protection](tutorial-configure-custom-password-protection.md).
101
101
102
-
To help users reset or change their password from a web browser, you can [configure Azure AD self-service password reset](tutorial-enable-sspr.md).
102
+
-To help users reset or change their password from a web browser, you can [configure Azure AD self-service password reset](tutorial-enable-sspr.md).
0 commit comments