How to get Azure lockout policy settings using Powershell commands?

Anonymous
2023-02-08T09:54:58.0366667+00:00

Hi, I am looking for a way to get the lockout policy settings in Azure using Powershell (preferably Microsoft Graph PowerShell SDK). The specific settings I want to export with Powershell are 'Lockout threshold' and 'Lockout duration in seconds' that can be found in the Azure portal at Home > Security > Authentication Methods > Password Protection.

I have already tried many commands of the Microsoft Graph and the AzureAD Powershell module, but none have displayed the values of the specific settings I am looking for. The command that comes closest to what I want according to the documentation is 'Get-MgDirectorySetting', but this just seems to give an empty output.

Any help with this issue would be much appreciated!

Best regards.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,618 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,071 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,532 questions
0 comments
Accepted answer
  1. Harpreet Singh Matharoo 7,486 Reputation points Microsoft Employee
    2023-02-08T10:15:07.65+00:00

    Hello @Daan

    Thank you for reaching out. This can be queried using Microsoft Graph PowerShell with beta profile. Please find the commands and sample out below:

    Commands:

    Connect-MgGraph
Select-MgProfile -Name beta
Get-MgDirectorySetting 
Get-MgDirectorySetting -DirectorySettingId 08e0dc4c-39f0-410a-9921-ded2eaa07136 | Select-Object -ExpandProperty Values

    Note: DirectorySettingID would be unique for your tenant, hence replace the value with value you see for your tenant.

    Sample Output Screenshot from PowerShell and Azure Portal:
    User's image

    User's image

    I hope this answer helps to resolve your issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 95,581 Reputation points MVP
    2023-02-08T10:14:58.8333333+00:00

    You can get them as part of the Directory settings resource, which can be queried via the following:

    GET https://graph.microsoft.com/beta/settings

    This will return all the setting objects, and password protection ones are those contained within the object using templateId of 5cf42378-d67d-4f36-ba46-e8b86229381d.

    If you are getting null output, this means that no tenant-specific settings object is configured, thus the default template applies. Which in turn you can get via:

    GET https://graph.microsoft.com/beta/directorySettingTemplates/5cf42378-d67d-4f36-ba46-e8b86229381d

    The corresponding PowerShell cmdlets are Get-MgDirectorySetting and Get-MgDirectorySettingTemplate. Both are only available under /beta, so make sure to Select-MgProfile beta first.

    3 people found this answer helpful.