Microsoft Entra Smart Lockout is a service that monitors all logins to Microsoft Entra ID. Using various mechanisms, Microsoft Entra Smart Lockout detects an attack on user accounts and locks them out. Among others, it detects try to guess users passwords or brute force attacks.
After 10 failed attempts, Microsoft Entra Smart Lockout locks the account for 1 minute. You can adjust these default values to your own needs.
Prerequisites and Licensing
The following license is required for Microsoft Entra Smart Lockout
- Microsoft Entra ID P1
The license is part of Microsoft 365 Business Premium and many more.
An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com.
Microsoft Entra Smart Lockout Configuration
The configuration for locking the Microsoft Entra account is done in the Microsoft Entra admin center (https://entra.microsoft.com) under Protection > Authentication methods > Password protection.
The default values for an account lockout are very moderate and should be adjusted to your own requirements.
- Lockout threshold: 10 failed attempts
- Lockout duration: 60 seconds
Good to know
Using Microsoft Entra pass-through authentication (PTA)
With Microsoft Entra pass-through authentication (PTA), the local account policy is taken into account, because the user authentication takes place on the local Active Directory and not in Microsoft Entra ID. This prevents Active Directory and Microsoft Entra ID from blocking each other.
The following values have proven to be useful as guidelines for Microsoft Entra Smart Lockout:
Lockout threshold
This value must be set lower in Microsoft Entra Smart Lockout than in the local Active Directory.
Lockout duration
This value must be set higher in Microsoft Entra Smart Lockout than in the local Active Directoy
Password Protection for Windows Server Active Directory must be enabled.
Unlock Microsoft Entra Account
A locked Microsoft Entra account cannot be unlocked by an administrator. The unlocking occurs automatically after the lockout duration expires. Microsoft Entra Smart Lockout is smart enough to block only the attacker’s requests. This makes it almost impossible for the real user to be locked out.
If required, users can unlock their account independently with Self-Service Password Reset (SSPR) before the lockout duration expires
Follow me on LinkedIn and Bluesky to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!
