Smart Lockouts in Microsoft Entra ID help protect Microsoft Entra ID accounts from password attacks. And smart lockouts are also called smart lockouts because they are smart in the meaning of that they should not negatively impact regular users.

How Microsoft Entra ID Smart Lockout works

By default, the threshold for account lockout is set to 10 failed attempts. After these 10 failed login attempts, the account is automatically locked for 1 minute.

But now comes the first smart feature – with each additional failed login attempt, the account lockout time increases. However, the lockout time increase after each additional failed attempt is neither fixed nor published anywhere, so that an attacker cannot try to bypass this protection feature.

Another smart feature is that the service remembers the last three incorrectly entered passwords and does not count re-entries for those last three incorrectly entered passwords. In other words, if you keep trying the same password over and over again, it won’t count to failed login attempts and therefore won’t lock your account.

When an account is locked, it is locked across all Microsoft Entra ID datacenters. However, the number of failed login attempts and the associated lockout threshold is not fully synchronized across all data centers and may vary for different locations in the world.

Also, familiar locations and unfamiliar locations use independent failed login attempt counters. This is because attempts from familiar locations are assumed to be likely to be a real user, while attempts unfamiliar locations are assumed to be unlikely to be a real user.

Smart Lockout in Microsoft Entra ID Premium

All of the above features are a standard part of Microsoft Entra ID regardless of license. If you have Microsoft Entra ID Premium licenses in tenant, you have the option of further customization.

In the Microsoft Entra ID portal, open Protection and go to Authentication methods – Password protection. Here you can modify the default behavior of Microsoft Entra ID Password protection.

At the top of the menu, there is an option to set a custom lockout threshold and lockout duration instead of the default values.

In addition to the aforementioned lockouts based on misspelled passwords, Microsoft Entra ID automatically blocks malicious sign-in attempts based on various signals. These attempts are blocked automatically regardless of the password protection policy. These malicious sign-in attempts are reported in the sign-in log with AADSTS50053 – IdsLocked error code.