Microsoft Entra IDOverview
The account lockout threshold determines how many failed login attempts are permitted before the account is locked out and initiated with a variable lockout duration.
Rationale
Account lockout is a method of protecting against brute-force and password spray attacks. Once the lockout threshold has been exceeded, the account enters a lockout state that prevents all login attempts for a variable duration. The lockout, in combination with a reasonable duration, reduces the total number of failed login attempts that a malicious actor can execute in a given period of time.
Impact
If the account lockout threshold is set too low (less than 3), users may experience frequent lockout events, and the resulting security alerts may contribute to alert fatigue.
If the account lockout threshold is set too high (more than 10), malicious actors can programmatically execute more password attempts in a given period.
Default Value
By default, the Lockout threshold is set to 10.
Remediation guidance
Azure Portal
- Open the Security | Authentication methods | Password protection.
- Set the
Lockout thresholdto 10 or fewer. - Click
Save,
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Entra tenants allowing too many login attempts
Connectors
Covered asset types
Expected check: eq []
{
connectors(where: { passwordRuleSettings: { lockoutThreshold_GT: 10 } }) {
...AssetFragment
}
}
