The sample policy is developed and managed by the open-source community in GitHub. This policy is not part of Azure AD B2C product and it's not supported under any Microsoft standard support program or service. The policy is provided AS IS without warranty of any kind.
For scenarios where you need to prevent users logging into the application after a set number of days. The account will also be disabled at the time of the users login attempt in the case the user logs in after the time period.
This sample presents the user with a dummy screen where a friendly error can be presented when a user tries to login after their account is deemed inactive. Administrators would need to update the users last logon time extension attribute and set the account to enabled in Azure AD B2C before the user can login again. This is demonstrated in the unlock_account.ps1 script.
The policy gets the current time using a claims transformation (GetSystemDateTime) as part of the AAD-UserReadUsingObjectId technical profile.
In the case of a new sign up, we use the presence of the newUser claim to write the current time into the extension_lastLogonTime attribute via the AAD-UserWriteLogonTimeUsingObjectId technical profile.
For sign in's, the last logon time is read via the AAD-UserReadLastLogonTime technical profile.
As part of this step, a claims transformation is run called CompareTimetoLastLogonTime, which checks the difference between the last logon time and the set time period in the CompareTimetoLastLogonTime claims transformation.
This time period is defined in the input parameter called timeSpanInSeconds, and is measured in seconds. This policy is set to 160 seconds by default. This will output True if the time is greater than timeSpanInSeconds compared to the last logon time, and False otherwise. The value is stored in userLockedOutForInactivity.
Next, the AAD-DisableAccount technical profile is executed based off the precondition that userLockedOutForInactivity returned True. This will mark the account as disabled.
The user will be presented with a dummy page rendered by the Self-Asserted-AccountDisabled technical profile. A custom error page can be shown here.
For subsequent logons whilst the account is disabled, the user will be get treated by the native Azure AD B2C functionality for disabled accounts. This error message can also be customised.
- Sign up with an account, check the value of exentsion_lastLogonTime using the unlock-account.ps1 script.
- Sign in after sign up to make sure the account can login successfully.
- After a few minutes, sign in again and verify the account is locked out.
- Sign in again and you will see the native account disabled error from Azure AD B2C
- Use the script to unlock the account and repeat these steps.