~ / writing / adfs-2016-2019-extranet-smart-lockout-logging-requirements
ADFS 2016/2019 Extranet Smart Lockout Logging
A quick reference for enabling the logging components required to monitor and troubleshoot ADFS Extranet Smart Lockout.
1. Enable ADFS Tracing / Debug Log
$logname = "AD FS Tracing/Debug"
Get-WinEvent -ListLog $logname | fl IsEnabled
$log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logname
$log.IsEnabled = $true
$log.SaveChanges()
This enables the debug log and confirms the change took effect.
2. Enable Application Generated Audit Policy
Extranet Smart Lockout events are written as application-generated audit events. You need to enable this audit subcategory:
auditpol /get /subcategory:"Application Generated" /r
auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
Run the first command to check the current state, then the second to enable both success and failure auditing.
3. Set ADFS Audit Level to Verbose
Set-AdfsProperties -AuditLevel Verbose
Verbose logging is required for Extranet Smart Lockout events to appear in the Security event log. Without it, the relevant event IDs will not be written even if the audit policy is enabled.
All three components need to be in place. Missing any one of them will result in incomplete or absent lockout telemetry.