Skip to main content

🛡️ Microsoft Entra ID Account Lockout Duration is not set 60 seconds or more🟢⚪

  • Contextual name: 🛡️ Account Lockout Duration is not set 60 seconds or more🟢⚪
  • ID: /ce/ca/azure/microsoft-entra-id/account-lockout-duration
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Description

Open File

Description

The account lockout duration value determines how long an account retains the status of lockout, and therefore how long before a user can continue to attempt to login after passing the lockout threshold.

Rationale

Account lockout is a method of protecting against brute-force and password spray attacks. Once the lockout threshold has been exceeded, the account enters a locked-out state which prevents all login attempts for a variable duration. The lockout in combination with a reasonable duration reduces the total number of failed login attempts that a malicious actor can execute in a given period of time.

Impact

If account lockout duration is set too low (less than 60 seconds), malicious actors can perform more password spray and brute-force attempts over a given period of time.

If the account lockout duration is set too high (more than 300 seconds) users may experience inconvenient delays during lockout.

Audit

From Azure Portal
  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Entra ID.

... see more

Remediation

Open File

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Entra ID.
  3. Under Manage, select Security.
  4. Under Manage, select Authentication methods.
  5. Under Manage, select Password protection.
  6. Set the Lockout duration in seconds to 60 or higher.
  7. Click Save.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CIS Azure v3.0.0 → 💼 2.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' (Manual)1no data
💼 CIS Azure v4.0.0 → 💼 6.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60' (Manual)1no data
💼 Cloudaware Framework → 💼 Credential Lifecycle Management18no data