Azure Active Directory Smart Lockout

Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive.

By default, smart lockout locks the account from sign-in attempts for one minute after 10 failed attempts for Azure Public tenants and 3 for Azure US Government tenants. The account locks again after each subsequent failed sign-in attempt, for one minute at first and longer in subsequent attempts. To minimize the ways an attacker could work around this behavior, we don't disclose the rate at which the lockout period grows over additional unsuccessful sign-in attempts.

Smart lockout tracks the last three bad password hashes to avoid incrementing the lockout counter for the same password. If someone enters the same bad password multiple times, this behavior won't cause the account to lock out.

Based on your organizational requirements, you can customize the Azure AD smart lockout values. Customization of the smart lockout settings, with values specific to your organization, requires Azure AD Premium P1 or higher licenses for your users.

To check or modify the smart lockout values for your organization, complete the following steps:

1. Sign in to the Azure portal.

2. Search for and select Azure Active Directory, then select Security > Authentication methods > Password protection.

3. Set the Lockout threshold, based on how many failed sign-ins are allowed on an account before its first lockout.

   The default is 10 for Azure Public tenants and 3 for Azure US Government tenants.

4. Set the Lockout duration in seconds, to the length in seconds of each lockout.

   The default is 60 seconds (one minute).

How to determine if the Smart lockout feature is working or not

When the smart lockout threshold is triggered, you will get the following message while the account is locked:

Your account is temporarily locked to prevent unauthorized use. Try again later, and if you still have trouble, contact your admin.

When you test smart lockout, your sign-in requests might be handled by different datacenters due to the geo-distributed and load-balanced nature of the Azure AD authentication service.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout