Microsoft Entra IDOverview
The account lockout duration value determines how long an account retains the lockout status and, therefore, how long before a user can continue to attempt to log in after passing the lockout threshold.
Rationale
Account lockout is a method of protecting against brute-force and password spray attacks. Once the lockout threshold has been exceeded, the account enters a lockout state that prevents all login attempts for a variable duration. The lockout, combined with a reasonable duration, reduces the total number of failed login attempts that a malicious actor can execute in a given period.
Impact
If the account lockout duration is too low (less than 60 seconds), malicious actors can perform more password spray and brute-force attempts over a given period.
If the account lockout duration is too high (more than 300 seconds), users may experience inconvenient delays during lockout.
Default Value
By default, Lockout duration in seconds is set to 60.
Remediation guidance
Azure Portal
- Open the Security | Authentication methods | Password protection.
- Set the
Lockout duration in secondsto 60 or higher. - Click
Save,
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Entra tenants with low lockout duration
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { passwordRuleSettings: { lockoutDurationInSeconds_LT: 60 } }) {
...AssetFragment
}
}
