Auth0 Home Blog Docs

User cannot access admin dashboard - blocked too many attempts


#1

Hi,

We have two users which after creation, can sign in to the hosted apps properly. However, when we add them as an administrator through the dashboard, and they try to log in (using the link given to them in the invitation email), they keep getting an error message saying: blocked for too many attempts.

This only happens with two of our users. Now, I have tried deleting their account and creating new ones, as well as blocking them and unblocking them both via GUI and API. However this doesnt really change anything.

Thanks


#2

Use the mgmt api directly to remove all IP address blocks:


#3

Hi Mark,

I tried that with one of the users, same issue. Any other ways please? Thanks


#4

Just to clarify, which dashboard are you referring to? The management dashboard (manage.auth0.com) or the Delegated Administration Dashboard (an extension you can enable in your tenant)?


#5

Hi Mark

I am referring to the management dashboard (Tenant Settings > Dashboard Admins). What I also find is on that page, the two users who are having those issues have (expired) next to their name, the others have (auth0).

They also have MFA Pending as their status (not sure if that has anything to do with it, but wanted to let you know).

I have tried to delete their user accounts and re-add them but still the same issue. Also used the API routes you provided but returns a 204 no content.

Thanks!


#6

Expired means their invite expired. Remove them, re-add, and make sure they check their spam for the invitation if they don’t see it in their inbox. You have no control over their MFA.

I think the Auth0 management dashboard user model confuses people (I hope I get this right): It is similar to the github or heroku models where you can invite anyone (any other github or heroku user) to your tenant (or your app) and you can revoke their access to your tenant, but you do not control their own Auth0 user account. E.g., someone can invite me (github user dmark) to work on their github project, and they can remove me from the project, but they have no control over my github account (including the MFA on my account). Auth0 is set up the same way.

Users within your tenant are completely separate from a tenant’s management dashboard users, though they can use the same authentication method: e.g. I can log in to auth0 using my github creds, create a tenant, and then configure that tenant so I can log into an Auth0 enabled app also using those same github creds.

Bit of a wall of text there but I’m mentioning it because you cannot delete an “Auth0 user” … you can only invite them to and revoke their access to your tenant.


#7

Thanks for the reply Mark,

So that means when we send invites either through normal user creation process through a given “connection” OR using the dashboard admin menu these concepts are totally different (and there is no sort of one user account tagged to multiple roles e.g. admin at the backend)

So currently, I do not need to remove them from the Users page of the tenant (for applications) since that is completely separate. All I do is remove them from the dashboard admins page, and re-send them a new invitation email correct?

Thanks!


#8

That’s correct … dashboard admin users (under tenant settings) are entirely separate from the users you see in the “Users” section of the dashboard. So yes, remove them from the dashboard admin settings page and re-invite.

Now if your dashboard admin users are getting “blocked for too many attempts” when trying to log in to manage.auth0.com, you’ll need the Auth0 folks to help with that.


#9

Hi Mark,

So I removed the user from the admin dashboard and sent him another invitation. It appears when he tries to log in with the username and password (which was created for him when we enrolled him through the Users module in auth0) it gives him an incorrect username/password.

And when he tries to reset it he never gets the email - checked both inbox and junk.


#10

That’s where the confusion is … the user you enrolled is a user within your tenant, which is not the same as a mgmt dashboard user which exists outside of you tenant.

Have the user go to https://auth0.com/, click “Sign Up”, go through the sign up process (they can use any of the available sign up options… google, github, etc.), then they will be able to click the link in the invite email and sign in with those same credentials (they’ll probably already be logged in from the sign up process).


#11

Hi mark,

But isnt that the signup to get them to set their own tenant? (because it prompts them to enter a tenant name). Is the signup for applications separate? We also have the option under our DB connection set as “Disable signups” to true.


#12

That’s correct, but they can just ignore or even delete the tenant if they don’t want to use it, or use it for doing their own testing which is what I do … you can create and destroy tenants at any time at no cost, which is one of the great strengths of Auth0’s platform. Have an idea? Create a tenant to test it / do a proof of concept, delete the tenant when you are done.


#13

hey Mark

While that is true, there will be a lot of users that will be signed up later for using the applications. This would kind of be an odd solution for that as they are just consumers.

We normally just go to the Users section and add them from there. Is there any other workaround?


#14

Yes, your customers sign up via your tenant. This is not the same as a management dashboard user. A weak analogy: your employees are in your HR database (equivalently management dashboard users are in Auth0’s user database), but your customers are in your customer database (equivalently your customers are in your tenant).

As an example, I have my own Amazon Web Services account. I could invite you to my AWS account and give you permissions to various services. This has nothing to do with customers accessing any services I have created inside AWS. You could be a customer of one of those services but your access to my AWS account is completely separate from your access to the services I have created in AWS.


#15

Mark, totally understand that. Apologies if I came across a little unclear but what I meant to say is in order to solve the users problem, if we do not want him/her to go and signup for an entire tenant and then later delete it (since they are just consumers), is there any other workaround to solve his current issue where he keeps getting an incorrect username/password?

None of the other admins have faced this issue before, its just somehow to do with two of our users. They have been able to login successfully using their current Auth0 password which was provided to them via the users section (I also understand that the users section is totally different from the admin dashboard)


#16

Understood. Make sure the ‘problem’ users are not currently logged in with tenant credentials (users within your tenants) and make sure they aren’t trying to log in with tenant credentials after clicking the invite link. Have a look at the screencaps at the link below.

Using the Auth0 account associated with my work email I invited my “personal email” to one of my “work email” test / demo tenants. After clicking the invite link I opted to log in with my github creds. This is the flow you dashboard users should be following.


#17

Hey Mark,

While this technique would work fine, this would still require users to sort of have two accounts. One for the normal app authentication and another for the admin portal.

How can we get it done, so that the same email address is used for both admin and non-admin accounts?

I see a list of current users who are both admins and regular tenant users with the same email address associated with both.

When we send an admin invite link, the only signup options are the preset - GitHub, Microsoft etc and if we try to signup with the same email as used in the tenant, it says email already exists.