AzureAD Smart Lockout

Have you ever wondered how Microsoft prevents password guessing attacks or brute force attacks on Azure AD? Well, it is basically the same method as you would do on your on-premises User Directory! It is just smarter!

Azure AD Smart lockout is a feature being applied to every sign-in processed by Azure AD, regardless if the user has a managed account or a synced accounts using password hash sync or pass-through authentication.
The smart part comes from the ability to distinguish valid users from attackers. It locks out the attackers while letting your users continue to access their accounts and be productive.

If you still run ADFS, there is also a Feature available named Extranet Smart Lockout but this one is not as smart as the one in Azure AD. https://support.microsoft.com/en-us/help/4096478/extranet-smart-lockout-feature-in-windows-server-2016

The default lockout setting kicks in after ten invalid login attempts for one minute. The account locks again after each subsequent failed attempt, for one minute at first and longer periods in subsequent attempts. Also, smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password, basically, if the same bad password is entered multiple times, it will not cause another lockout.

Note: The monitoring of the same sign-in attempt is only available for the Password Hash sync scenario, as the Pass-Through password validation happens against your on-premise AD domain controllers.

Smart Lockout is always turned on for all Azure AD customers. If you want to modify the default behavior of 10 invalid attempts to trigger a one-minute lockout, then you require Azure AD P1 or P2 licenses for your users.

Advertisement

How to check if an external user has accepted the invitation

From time to time, I receive calls from my customers saying that they send invitations from SPO to external users, but they claim that they did not receive nothing. This post will try to clarify the process, and how is it possible to check the user invitation status.

As you know, every invitation made into O365 (Teams, O365 Groups, SPO…) relies in Azure Active Directory, so our source of information will be there. So what are the steps that we need to follow?

• Browse to the User and Groups under Azure Active Directory (https://portal.azure.com/#blade/Microsoft_AAD_IAM/UserManagementMenuBlade/All users/menuId/)
• Browse to the invited User’s profile
• Check the User type is guest
• Check the source field

The important thing here, is the source field. If the source field shows invited user, it means the user has not accepted the invitation. If that is the case, than you can click on resend invitation and this will trigger another invite for the user to redeem

Once the user has redeemed the external user invite, you can check the source field, because depending on the Identity Source, the field will be updated regsarding the IS.

In this case, the user has been invited to a Microsoft Account (@outlook, @hotmail)

In this other case, the user has been invited from an Organization Account (note that the source is External Azure Active Directory)

That’s all!

 

AzureAD admin is in the new Azure Portal!

Hi there!

Yes, you’re reading well, MS have launch the preview of AzureAD in the new Azure Portal. As you know, when you need to configure something of AzureAD in the new portal, automatically redirects to manage.windowsazure.com.

It was very confusing and it was simply stupid, but from today we can enjoy the new AzurePortal:

I hope that MS will be improving the user experience of this new feature, but for this time this are great news 🙂

If you want to hear more info about this, you can visit the following Technet Blog

Cheers!

 

Update DirSync to AAD: Part 3

Once you have installed your new AAD, it will start a synchronization, but a really cool feature that Microsoft guys have added is when you install AAD, it creates an scheduled task in the local machine, so if you need to change the sync interval o need to run manually the synchronization is it possible!

The only thing that you will need to do is to access to scheduled tasks and modify the programability of the task to adjust the frequency. Once that is done, is enough!

Hope that helps!