The Directories Management service includes a default access policy that controls user access to their apps portals. You can edit the policy to change the policy rules as necessary.
When you enable authentication methods other than password authentication, you must edit the default policy to add the enabled authentication method to the policy rules.
Each rule in the default access policy requires that a set of criteria be met in order to allow user access to the apps portal. You apply a network range, select which type of user can access content and select the authentication methods to use. See Managing Access Policies.
The number of attempts the service makes to login a user using a given authentication method varies. The services only makes one attempt at authentication for Kerberos or certificate authentication. If the attempt is not successful in logging in a user, the next authentication method in the rule is attempted. The maximum number of failed login attempts for Active Directory password and RSA SecurID authentication is set to five by default. When a user has five failed login attempts, the service attempts to log in the user with the next authentication method on the list. When all authentication methods are exhausted, the service issues an error message.