Description

The account lockout duration value determines how long an account retains the status of lockout, and therefore how long before a user can continue to attempt to login after passing the lockout threshold.

Rationale

Account lockout is a method of protecting against brute-force and password spray attacks. Once the lockout threshold has been exceeded, the account enters a locked-out state which prevents all login attempts for a variable duration. The lockout in combination with a reasonable duration reduces the total number of failed login attempts that a malicious actor can execute in a given period of time.

Impact

If account lockout duration is set too low (less than 60 seconds), malicious actors can perform more password spray and brute-force attempts over a given period of time.

If the account lockout duration is set too high (more than 300 seconds) users may experience inconvenient delays during lockout.

Audit

From Azure Portal

From Azure Home select the Portal Menu.
Select Microsoft Entra ID.
Under Manage, select Security.
Under Manage, select Authentication methods.
Under Manage, select Password protection.
Ensure that Lockout duration in seconds is set to 60 or higher.

Default Value

By default, Lockout duration in seconds is set to 60.

References

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout#manage-microsoft-entra-smart-lockout-values

Rationale​

Impact​

Audit​

From Azure Portal​

Default Value​

References​