0

Is it possible to check if the user is in account locked state and within the account lockout duration? The requirement is to provide an error to the user that account is locked and he/she needs to wait until lockout duration is completed on custom sign in journey. During the lockout period even if the user enters a correct password we should not let them in. I checked user attributes but could not find a corresponding attribute to work with. Is accountEnabled the right one to check? Is it possible to use

AAD-UserReadUsingEmailAddress-emailAddress

as a first step before login-noninteractive kicks in and read

accountEnabled

attribute and provide a custom message and stop the flow if it is set to false? If this attribute is not designed for locked state which attribute/way to use for this purpose?

Erkan Y.
  • 601
  • 1
  • 6
  • 14

1 Answers1

1

You need to:

  • Have a self asserted screen that asks for the email address
  • Call a user read by email address - add accountEnabled as an output if not there
  • Check accountEnabled. If false check the time. If within lockout period, display error message.
  • If not, call login-noninteractive.
  • Set accountEnabled to true
rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • thank you, how do I check the time and see if it is within lockout period? Any sample code you can refer me to for all or some of these steps? – Erkan Y. Nov 28 '22 at 14:37
  • Look at the samples e.g. https://github.com/azure-ad-b2c/samples/tree/master/policies/force-password-reset-after-90-days or https://github.com/azure-ad-b2c/samples/tree/master/policies/disable-inactive-account – rbrayb Nov 28 '22 at 18:03