Implement Microsoft Entra Smart Lockout

  • 3 minutes

Smart Lockout locks out bad actors who are trying to guess users’ passwords or use brute-force methods to gain access. It can recognize sign-ins coming from valid users and treat them differently than ones of attackers and other unknown sources. Smart Lockout locks out the attackers, while letting an organization's users continue to access their accounts and be productive.

By default, after 10 failed attempts, Smart Lockout locks the account from sign-in attempts for one minute. After the tenth failed attempt, Smart Lockout locks the account following each successive failed attempt. Smart Lockout locks the account for one minute following the eleventh failed attempt. Starting with the twelfth failed attempt, Smart Lockout locks the account even longer.

Smart Lockout tracks the passwords for the three previous failed password attempts to avoid incrementing the lockout counter for the same password. Smart Lockout doesn't lock a user account if someone enters the same bad password multiple time.

Note

Pass-through authentication happens on-premises and not in the cloud. As such, hash tracking functionality isn't available for customers with PTA enabled.

Smart Lockout is always on for all Microsoft Entra ID customers with these default settings that offer the right mix of security and usability. Customization of the Smart Lockout settings, with values specific to an organization, requires paid Microsoft Entra licenses for its users.

Smart Lockout doesn't guarantee that it never locks out a genuine user. When Smart Lockout locks a user account, the service tries its best to not lock out the genuine user. The lockout service attempts to ensure that bad actors can’t gain access to a genuine user account.

  • Each Microsoft Entra ID data center tracks lockout independently. If the user hits each data center, Smart Lockout calculates their number of attempts using the following equation: threshold_limit X datacenter_count.
  • Smart Lockout uses familiar location versus unfamiliar location to differentiate between a bad actor and the genuine user. Unfamiliar and familiar locations have separate lockout counters.

Organizations can integrate Smart Lockout with hybrid deployments. In this scenario, the system protects on-premises Active Directory accounts against lockout from attackers by using password hash sync or pass-through authentication. An organization that appropriately sets Smart Lockout policies in Microsoft Entra ID can filter out attacks before they reach the company's on-premises Active Directory.

Smart Lockout integration with pass-through authentication

When an organization implements pass-through authentication, it must ensure that:

  • The Microsoft Entra lockout threshold is less than the Active Directory account lockout threshold. Set the values so that the Active Directory account lockout threshold is at least two or three times longer than the Microsoft Entra lockout threshold.
  • You must also set the Microsoft Entra lockout duration longer than the Active Directory reset account lockout counter.

Warning

An administrator must define the Microsoft Entra lockout duration in seconds, while defining the Active Directory account lockout duration in minutes. For example, assume an organization wants its Microsoft Entra counter to be higher than AD. The organization could set its Microsoft Entra threshold to 120 seconds (2 minutes) while setting its on-premises AD to 1 minute (60 seconds).

Important

Currently, if Smart Lockout locks a user's cloud account, an administrator must wait for the lockout duration to expire before they can unlock it. However, the user can unlock their account by using self-service password reset (SSPR) from a trusted device or location.

Verify on-premises account lockout policy

An organization should complete the following instructions to verify its on-premises Active Directory account lockout policy:

  1. Open the Group Policy Management tool.
  2. Edit the group policy that includes the organization's account lockout policy. For example, the Default Domain Policy.
  3. Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.
  4. Verify your Account lockout threshold and Reset account lockout counter after values.

Manage Microsoft Entra Smart Lockout values

Based on an organization's requirements, it might need to customize Smart Lockout values. Customization of the Smart Lockout settings, with values specific to the organization, requires paid Microsoft Entra licenses for its users.

To check or modify the Smart Lockout values for an organization, complete the following steps:

  1. Sign in to the Microsoft Entra admin center and navigate to Protection > Authentication methods > Password protection.
  2. Set the Lockout threshold, based on how many failed sign-ins the organization allows on an account before its first lockout. The default is 10.
  3. Set the Lockout duration in seconds, to the length in seconds of each lockout. The default is 60 seconds.

Warning

If the first sign-in after a lockout also fails, the account locks out again. When an account locks repeatedly, Smart Lockout increases the lockout duration.

How to determine if Smart Lockout is working

When a failed user sign-in triggers the Smart Lockout threshold, the system displays the following message:

Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin.