Extranet Lock Protection is used to protect your Internet
facing ADFS from password brute force attacks. Extranet Lock Protection works
much like an Account Lockout Policy in Active Directory, you set a password
attempt threshold in conjunction with a period of time before the user in
question can be authenticated. With ELP enabled, even if the user attempts to
login to the Sign In page using valid credentials after the threshold has been
met and before the lock time has expired, they will not be granted access.
ADFS ELP works separately from Active Directory account lock
outs, if you enable ELP it will not disable on premise user accounts if a brute
force attack has been attempted at the ADFS Sign In page.
Some comparisons should be made between the AD Account
Lockout Policy and ELP.
·
Lockout threshold on ELP should be less than the
threshold in AD.
·
Lockout time window on ELP should be greater than
the threshold in AD.
Extranet Lock Protection is not enabled by default on Server
2012 R2 or Server 2016.
View the default using Get-AdfsProperties
Enable Extranet Lockout Protection with a threshold of 3
wrong authentication attempts and a lockout observation window of 15 minutes.
Set-AdfsProperties -EnableExtranetLockout $true
-ExtranetLockoutThreshold 3 -ExtranetObservationWindow (new-timespan -Minutes
15)
Run the command Get-AdfsProperties again to ensure the
change has been applied.
It’s worth noting that it takes some time for the warning to
disappear from the Azure AD Connect page inside the Azure Portal. It does not
seem to be instant and nothing I did seemed to force a re-evaluation.
Further reading https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-lockout-protection
