Friday 1 December 2017

Configuring Extranet Lock Protection in ADFS 2016

Extranet Lock Protection is used to protect your Internet facing ADFS from password brute force attacks. Extranet Lock Protection works much like an Account Lockout Policy in Active Directory, you set a password attempt threshold in conjunction with a period of time before the user in question can be authenticated. With ELP enabled, even if the user attempts to login to the Sign In page using valid credentials after the threshold has been met and before the lock time has expired, they will not be granted access.


ADFS ELP works separately from Active Directory account lock outs, if you enable ELP it will not disable on premise user accounts if a brute force attack has been attempted at the ADFS Sign In page.

Some comparisons should be made between the AD Account Lockout Policy and ELP.

·      Lockout threshold on ELP should be less than the threshold in AD.
·      Lockout time window on ELP should be greater than the threshold in AD.


Extranet Lock Protection is not enabled by default on Server 2012 R2 or Server 2016.

View the default using Get-AdfsProperties


Enable Extranet Lockout Protection with a threshold of 3 wrong authentication attempts and a lockout observation window of 15 minutes.

Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 3 -ExtranetObservationWindow (new-timespan -Minutes 15)

Run the command Get-AdfsProperties again to ensure the change has been applied.


It’s worth noting that it takes some time for the warning to disappear from the Azure AD Connect page inside the Azure Portal. It does not seem to be instant and nothing I did seemed to force a re-evaluation.

Further reading https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-lockout-protection