π Microsoft Entra ID Account Lockout Duration is not set 60 seconds or more π’
- Contextual name: π Account Lockout Duration is not set 60 seconds or more π’
- ID:
/ce/ca/azure/microsoft-entra-id/account-lockout-duration - Located in: π Microsoft Entra ID
Flagsβ
- π’ Impossible policy
- π’ Policy with categories
- π’ Policy with type
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Descriptionβ
Descriptionβ
The account lockout duration value determines how long an account retains the status of lockout, and therefore how long before a user can continue to attempt to login after passing the lockout threshold.
Rationaleβ
Account lockout is a method of protecting against brute-force and password spray attacks. Once the lockout threshold has been exceeded, the account enters a locked-out state which prevents all login attempts for a variable duration. The lockout in combination with a reasonable duration reduces the total number of failed login attempts that a malicious actor can execute in a given period of time.
Impactβ
If account lockout duration is set too low (less than 60 seconds), malicious actors can perform more password spray and brute-force attempts over a given period of time.
If the account lockout duration is set too high (more than 300 seconds) users may experience inconvenient delays during lockout.
Auditβ
From Azure Portalβ
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID.... see more
Remediationβ
Remediationβ
From Azure Portalβ
- From Azure Home select the Portal Menu.
- Select
Microsoft Entra ID.- Under
Manage, selectSecurity.- Under
Manage, selectAuthentication methods.- Under
Manage, selectPassword protection.- Set the
Lockout duration in secondsto60or higher.- Click
Save.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS Azure v3.0.0 β πΌ 2.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' (Manual) | 1 | |||
| πΌ Cloudaware Framework β πΌ Credential Lifecycle Management | 17 |