If MSAD is used as the sole persistency layer (=no IAM database), only a limited set of features is supported in a secure manner. This is due to the fact that MSAD stores only a single „failed attempts counter“, namely „badPwdCount“ for failed password checks.
Most use-cases involving additional authentication factors require additional "failure counters" in order to be robust against brute-forcing attacks.
Example:
- Authentication scheme: Username/Password check against MSAD followed by OTP check (no IAM database)
- Risk: An adversary knowing username and password may be able to brute force the OTP because no 2nd factor counter exists and therefore the account is not locked after a few trials.
A non-exhaustive list of known limitations is given below:
The limitations only apply if MSAD is used as the sole persistence layer.
Use-Case | Risk | Recommended Solution |
|---|---|---|
2-factor authentication | Risk of brute-forcing the 2nd factor if username and password is known. |
|
Temporary Locking | Limited support (only based on bad password counter) Not supported in Loginapp REST API | |
Password Reset Self-Service with OTP | Risk of OTP being brute-forced because of lack of failure counter. |