Lock-out Account after Azure MFA x number of attempts

Question

Hello.
I've searched high and low for an answer but have been unable to find it.

Is there a way to have Azure lock out an account after 3 failed MFA attempts?

The built in function under > Security > MFA > Account lockout is only for the deprecated Azure Server and smartlockout doesn't serve this need.

Does anyone know where I could create an automation runbook, logic app, or some other way to accomplish this goal? It's a native feature in DUO; but not MMFA. We have our password lockout policy in place but need MFA to stop MFA fatigue attacks.

Thanks,

Answer 1

Hello Daniel S,

I am not sure there is a direct functionality that does this. While Conditional Access controls access based on conditions, it might not be a direct fit for this scenario. You could try a Logic App that monitors entra sign-in logs and takes action after a certain number of failed MFA attempts.

Using the Microsoft Graph API to periodically check sign-in logs, Counting failed MFA attempts per user and triggering an account disable action when the threshold is reached

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola

Answer 2

Hi Daniel S,

Thank you for posting in the Q&A Forums.

Method 1: Using Conditional Access and Custom Policies

Conditional Access for Azure AD allows you to set complex access control policies based on a user's login attempts. While Conditional Access itself does not directly support locking accounts after MFA failures, you can indirectly accomplish this by using a combination of Conditional Access and services such as Azure AD Identity Protection.

Enable Azure AD Identity Protection: This service detects suspicious login attempts, including multiple failed login attempts.

Set a risk policy: In Identity Protection, you can set a policy to automatically request an MFA when a high-risk login is detected. in addition, you can set another policy to mark a user's account as high-risk and potentially prevent them from logging in when they make multiple failed login attempts within a short period of time.

Method 2: Use a third-party identity and access management (IAM) solution

If the built-in features of Azure AD don't meet your needs, you might consider using a third-party IAM solution. These solutions typically offer more advanced authentication and access control features, including the ability to lock accounts after multiple MFA failures.

Method 3: Custom Scripts or Integrations

If you have the resources and expertise, you can write custom scripts or integrate Azure AD with a third-party security system to automatically lock accounts after multiple MFA failures are detected. This usually involves using Azure AD's API to monitor login attempts and perform a lockout when a specific threshold is reached.

Method 4: Use the Azure AD Premium feature

If you've purchased Azure AD Premium, then you can take advantage of more advanced security features such as Azure AD Privileged Identity Management (PIM). While PIM focuses primarily on the management of privileged accounts, it also provides a number of features related to access control and authentication that may help you achieve your desired security policy.

Best regards

NeuviJ

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.