Brute Force Detection - Unblocking

I am using enterprise connection for my portal. After 10 times of failed login, Brute Force Detection has been triggered and blocked the user from all IP’s and the user was also blocked in the active directory. Now when the user has been unblocked on AD, the Brute Force check has been removed even on auth0 portal( i.e on removing block on AD, Block was removed on auth0 as well). Is it suppose to work that way ? Or should the admin manually remove the block in dashboard. Can you please provide some documentation on this issue. I could not find any documentation for Brute Force Detection in regards to Active Directory.
Anupam Bhaskar

The brute force detection, as far as I’m aware, should not have anything specific in regards to Active Directory, more specifically, it’s triggered due to failed login attempts, but should be independent of how the actual login credentials are validated. Said another way, if the user fails their credentials ten times then it will trigger anomaly detection independently of the fact that the credentials were being validated against Active Directory or a custom database connection.

With this in mind you should refer to the general documentation about anomaly detection. Of particular interest would be the brute-force protection shield that is triggered after ten failed login attempts from the same user and IP address. In this particular situation the user itself can remove the block by clicking on the unblock link available in the email that notified the user of this situation; this is fine, because the user is acknowledging that the failed login attempts were his own and his doing that by having means to an out-of-band communication mechanism (the email inbox).

Thanks for response. It is working as expected when user unblocks via email, but i wanted to know if the admin unblocks the user in active directory. Does it unblock the user in auth0 “Users” tab as well. The links you provided does not have any information about the brute force protection in enterprise connection environment. Any help would be great.

I might be missing something, but you should be able to have independent policies at the AD versus the one provided by anomaly detection. Like mentioned in my answer, I’m not aware of anything at the anomaly detection level that is specific to an enterprise AD connection; hence me pointing you the documentation in question. In conclusion, if your group policy at the AD also blocks the user after ten failed attempts this is an independent locking mechanism which would imply the user would have to be unblocked in anomaly detection and in the AD.

Yes. After 10 failed attempts, user was getting blocked both on AD and Auth0 anomaly detection. Similarly when trying to unblock the user from AD, it was unblocking Auth0 anomaly detection as well (working more like a two way binding). This is what is expected by the client but they are requesting for an official documentation from Auth0 which explains this procedure.