Smart Lockout for Email OTP validation in Entra External ID

Question

Smart Lockout for Email OTP validation in Entra External ID

Ulrik Ejdesgaard 0

We are using Microsoft Entra External ID (CIAM, ciamlogin.com authority) with Email One Time Passcode as our primary authentication method in a sign-in user flow.

We have observed that when a user requests multiple OTP codes in succession, all previously generated codes appear to remain valid until they expire (30 minutes), meaning multiple active OTP codes can exist simultaneously for a single user. We have searched the documentation but could not find a definitive answer on either of the following security questions.

1. Does Smart Lockout apply to failed OTP validation attempts?

Will an account be locked out after repeated incorrect OTP guesses, the same way it would for repeated incorrect password attempts? Or does Smart Lockout only apply to password-based authentication flows?

2. Is multiple simultaneously valid OTP codes by design?

If so, what built-in protections exist to prevent an attacker from generating a large number of valid OTP codes and using them to increase their chances of guessing a valid code via brute force? With a 8-digit OTP and a 30-minute validity window, the theoretical attack surface seems non-trivial if no lockout or rate limiting mechanism applies to validation attempts.

We would appreciate a reference to official documentation if available.

Environment:

Tenant type: Entra External ID (CIAM), ciamlogin.com authority
Authentication method: Email One Time Passcode
User flow type: Sign-in (no self sign-up)

Shubham Sharma 14,500 Reputation points Microsoft External Staff Moderator

2026-05-06T07:22:24.4833333+00:00
Ulrik Ejdesgaard

Thank you for reaching out to Microsoft Q&A.

Thanks for raising these questions about the Email OTP flow in Microsoft Entra External ID. Here’s what the official docs say:

Smart Lockout only applies to password‐based sign-ins • The “Protect user accounts from attacks with Microsoft Entra smart lockout” feature is specifically for password guesses. • Failed OTP validation attempts do not count toward the password Smart Lockout threshold, so you won’t get an AADSTS50053 lockout error just by mistyping an OTP.

Yes, multiple active OTPs are by design • Every time a guest requests a new code, the old ones remain valid until they hit their time-to-live (30 minutes by default). • There’s no built-in per-user OTP lockout or automatic revocation of previous codes. • To prevent brute-forcing those 8-digit codes, the service relies on: – Strong randomness and a finite 10^8 code space – A limited TTL (30 min) – Global service-side throttling and anomaly detection (IP-based rate limits, abnormal traffic patterns, etc.)

If you’re looking for tighter controls—like invalidating earlier codes as soon as a new one is issued, or enforcing per-user OTP-attempt caps—you’d need to layer in a custom authentication extension (or switch to a B2C custom policy) where you can explicitly track and disable codes yourself.

References

Email one-time passcode authentication for B2B guest users https://learn.microsoft.com/entra/external-id/one-time-passcode

Protect user accounts from attacks with Microsoft Entra smart lockout https://learn.microsoft.com/entra/identity/authentication/howto-password-smart-lockout

Hope this clarifies how OTP and Smart Lockout work together.

If the answer is helpful, kindly upvote it. If you have extra questions about this answer, please click "Comment".

1 answer

Your answer

Shubham Sharma 14,500 Reputation points Microsoft External Staff Moderator

2026-05-06T07:22:24.4833333+00:00

Ulrik Ejdesgaard

Thank you for reaching out to Microsoft Q&A.

Thanks for raising these questions about the Email OTP flow in Microsoft Entra External ID. Here’s what the official docs say:

Smart Lockout only applies to password‐based sign-ins • The “Protect user accounts from attacks with Microsoft Entra smart lockout” feature is specifically for password guesses. • Failed OTP validation attempts do not count toward the password Smart Lockout threshold, so you won’t get an AADSTS50053 lockout error just by mistyping an OTP.

Yes, multiple active OTPs are by design • Every time a guest requests a new code, the old ones remain valid until they hit their time-to-live (30 minutes by default). • There’s no built-in per-user OTP lockout or automatic revocation of previous codes. • To prevent brute-forcing those 8-digit codes, the service relies on: – Strong randomness and a finite 10^8 code space – A limited TTL (30 min) – Global service-side throttling and anomaly detection (IP-based rate limits, abnormal traffic patterns, etc.)

If you’re looking for tighter controls—like invalidating earlier codes as soon as a new one is issued, or enforcing per-user OTP-attempt caps—you’d need to layer in a custom authentication extension (or switch to a B2C custom policy) where you can explicitly track and disable codes yourself.

References

Email one-time passcode authentication for B2B guest users https://learn.microsoft.com/entra/external-id/one-time-passcode

Protect user accounts from attacks with Microsoft Entra smart lockout https://learn.microsoft.com/entra/identity/authentication/howto-password-smart-lockout

Hope this clarifies how OTP and Smart Lockout work together.

If the answer is helpful, kindly upvote it. If you have extra questions about this answer, please click "Comment".

Answer 1

Smart lockout and OTP validation

Smart lockout, as documented, is a password protection feature that applies to password-based sign-in attempts. It tracks failed password attempts, uses bad password hash tracking, and locks accounts based on configurable lockout thresholds and durations.

All available documentation in the provided context describes Smart lockout only in relation to password-based authentication (for example, sign-ins where a password is entered and validated by Microsoft Entra ID or on-premises AD via pass-through authentication). There is no indication in the provided documentation that Smart lockout applies to email one-time passcode (OTP) validation attempts.

Therefore, based on the documentation in scope, Smart lockout is a password-focused control and is not described as applying to email OTP verification failures.

Multiple simultaneously valid OTP codes and protections

For native authentication with email one-time passcode, the documented behavior is:

After the app verifies the user's email with OTP, it receives tokens.
If delivery of the OTP is delayed or not delivered, the user can request another OTP.
When Microsoft Entra resends a one-time passcode, it invalidates the previously sent code if it has not yet been verified.

This means that, for the documented native auth email OTP flow, multiple simultaneously valid OTPs for the same user are not expected: when a new OTP is sent, any previous unverified OTP is invalidated.

The documentation in scope does not describe additional rate limiting or lockout behavior specific to email OTP verification attempts beyond this “resend invalidates previous code” behavior, nor does it describe multiple concurrently valid OTPs as a supported or intended behavior.

Related protections for OTP-based and sign-up/sign-in scenarios in External ID that are documented include:

Sign-up protection controls such as:
- WAF bot protection to block high-volume automated OTP triggering.
- Reputation-based email filtering via custom extensions.
- IP-based filtering and reputation checks via custom extensions.
- Monitoring and alerting on excessive OTPs from a single IP/ASN or location.
Sign-up error handling and specific OTP-related error codes (for example, 50181 for “Unable to validate the OTP” and 50182 for “OTP is already expired”), with guidance for users to request a new OTP.

These controls are focused on reducing automated abuse and fraud in OTP-based flows, but the provided documentation does not explicitly describe:

Smart lockout being applied to OTP validation failures.
A built-in lockout or rate limit specifically on OTP validation attempts for sign-in.

If behavior in a specific CIAM user flow appears to differ from the documented native auth behavior (for example, multiple OTPs seemingly valid at once), the next step, per the sign-up troubleshooting guidance, is to collect sign-up/sign-in logs and error codes and then open a support request for further investigation.

References:

Share via

Smart Lockout for Email OTP validation in Entra External ID

1 answer

Your answer