![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 34%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Hello Jinki Lee,
It looks like you’re calling the native OAuth2 endpoints against a cloud-only Azure AD tenant and you’re not seeing the user get locked out even after 10 bad password attempts. A few things to know:
- Microsoft Entra Smart Lockout is turned on by default for Azure AD accounts
- Default threshold is 10 failed attempts (60 sec lockout) for public clouds.
- If your tenant has Azure AD P1/P2 you can tweak those values under Entra ID > Authentication methods > Password protection (see screenshot in your post).
- Geo-distribution and datacenter replication can make it look like you get more than 10 “tries” before the lock actually fires
- Each authentication datacenter keeps its own counter. Until all of them sync you can sometimes see up to (threshold × datacenter count) failures show up before you actually hit the lockout state.
- Once the account is locked you’ll see AADSTS50053 in your token response and sign-in logs.
- There’s no built-in “manual unlock” for smart lockout — you have to wait out the duration (or use SSPR if you’ve enabled it). Admins today can’t click “unlock user” on a smart-lockout event.
- If you really need a hard disable after exactly N tries, you’ll have to build that logic yourself (for example, track failed sign-ins in your app or via sign-in logs + an Azure Function, then call the Graph API to set user.accountEnabled = false when you hit your custom threshold).
Here are some things to check to make sure smart lockout is applied correctly: • Have you confirmed that the user is a cloud-only (non-federated) account? • Do you have at least Azure AD P1 licenses (required if you want to customize threshold/duration)? • After you hit 10 failures, do you see any AADSTS errors or “temporarily locked” messages? • Can you find the bad-password attempts in the Sign-ins blade or via the audit logs?
If you need more control over exactly when and how an account gets disabled, the recommended pattern is:
- Capture your app’s sign-in failures (or ingest sign-in logs via Azure Monitor)
- When you detect your own “10th failure,” call Microsoft Graph to disable the account
- Re-enable via Graph once you’re ready
Hope that clarifies why you aren’t seeing a hard lockout right at “attempt #11” and points you at your options.
References • Manage Microsoft Entra smart lockout values:
Troubleshoot account lockout with Azure AD Domain Services (for FGPPs): https://learn.microsoft.com/entra/identity/domain-services/troubleshoot-account-lockout