When you use Azure AD Pass-Through authentication, your users are getting authenticated against your on-premises Active Directory when accessing cloud services (same way if you were using Federation, except this requires less infrastructure).
So, knowing that (you are authenticating against your on-premises AD), what happen if an attacker is trying to gain access to your resources? You will tell me “Easy, the AD account is going to be locked out because of the group policy”
To protect against such situation, getting a user account being locked out because of external attack trying to access cloud services, Azure AD already has ‘smart lockout’ functionality which will automatically block further tentative after a certain number to failed attempt within a certain period of time (for those familiar with AD FS,this is similar to the Extranet Lockout).
This Azure functionality is only available if you use Pass-Through authentication.
NOTE the ‘certain period of time’ is not defined, neither can be defined. This is automatically adjusted based on attempts analysis done by Azure.
The ‘certain number of failed attempt’ is defined by default to 10 failed attempts; and the lockout period is by default set to 60 seconds.
These defaults values may not reflect your on-premises security settings for the Account lockout Threshold and Reset account lockout counter after, you may need to lower or increase these values to match your configuration.
IMPORTANT NOTE updating these value requires your global administrator is licensed with an Azure Premium P2 license.
- First review your on-premises settings for account lockout; this should be configured by the Default Domain Policy within the Computer Configuration\Policies\Windows Settings\Security Settings\Account Lockout Policy
Remark: while you review your current configuration, it could be good to review it in term of “Does it need to be adjusted too?”
- Then logon to Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) and update the permissions to enable Directory.ReadWrite.All
- When applying the update permissions, you will be logged out and will have to sign in again
- Then query to check the current configuration. Select Get and beta from the drop downs and complete the query with <your tenant name>/settings; this gives something like https://graph.microsoft.com/beta/mytenant.onmicrosoft.com/settings
And look for the values of LockoutDurationInSeconds and LockoutThreshold. Keys or values may not exist or be empty if not yet configured/used
- Then to update the value you will need to switch the method to POST past the following JSON code (with the updated values to match your need) in the Request Body field
NOTE if values have been already set, you must use the method PATCH to update the values
"name" : "BannedPasswordList",
"name" : "EnableBannedPasswordCheck",
- You should get as result Status Code 201
- Then you switch the method back to GET, you should see your updated settings