Azure Active Directory smart lockout

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure

Smart lockout helps to keep out bad actors who try to guess your users’ passwords or use brute-force methods to gain access. A smart lockout can distinguish between legitimate user sign-ins and those from attackers and other unknown sources. Attackers are locked out, while your users can continue to use their accounts and be productive.

How does smart lockout function?

Smart lockout disables sign-in attempts for one minute after ten failed attempts for Azure Public and Azure China 21Vianet tenants and three for Azure US Government tenants. After each subsequent failed sign-in attempt, the account is locked for one minute at first and for longer in subsequent attempts. We won’t reveal the rate at which the lockout period grows over additional unsuccessful sign-in attempts to limit the ways an attacker could exploit this behavior.

To avoid incrementing the lockout counter for the same password, smart lockout tracks the last three bad password hashes. If someone enters the same bad password multiple times, the account will not be locked out.

Federated AD FS 2016 and AD FS 2019 deployments can achieve similar benefits by utilizing AD FS Extranet Lockout and Extranet Smart Lockout.

Smart lockout is enabled by default for all Azure AD customers, providing the ideal balance of security and usability. Customizing the smart lockout settings with values unique to your organization necessitates the purchase of Azure AD Premium P1 or higher licenses for your users.

Using smart lockout does not ensure that a legitimate user is never locked out. When smart lockout locks a user account, we make every effort to keep the genuine user from being locked out. The lockout service attempts to prevent bad actors from gaining access to legitimate user accounts. The following factors must be considered:

  • Each Azure AD data center keeps track of lockout in its own way. If a user visits each data center, he or she has (threshold limit * datacenter count) attempts.

 

  • Smart Lockout distinguishes between a bad actor and a genuine user by comparing familiar and unfamiliar locations. Lockout counters are separate in unfamiliar and familiar locations.

 

A smart lockout can be integrated with hybrid deployments that use password hash sync or pass-through authentication to prevent attackers from locking out on-premises Active Directory Domain Services (AD DS) accounts. Attacks can be filtered out before they reach on-premises AD DS by appropriately configuring smart lockout policies in Azure AD.

 

When using pass-through authentication, keep the following things in mind:

  • The Azure AD lockout threshold is lower than the AD DS account lockout threshold. Set the values so that the AD DS account lockout threshold is at least two or three times greater than the Azure AD lockout threshold.
  • The Azure AD lockout duration must be set to be longer than the AD DS reset account lockout counter after duration. The Azure AD duration is set in seconds, whereas the AD duration is set in minutes.

For example, if you want your Azure AD smart lockout duration to be longer than AD DS, you can set Azure AD to 120 seconds (2 minutes) while on-premises AD is set to 1 minute (60 seconds). If your Azure AD lockout threshold is 5, your on-premises AD lockout threshold should be 10. This configuration ensures that smart lockout prevents brute force attacks on your Azure AD accounts from locking out your on-premises AD accounts.

 Manage the smart lockout values in Azure AD.

The Azure AD smart lockout values can be customized based on your organization’s needs. Customizing the smart lockout settings with values unique to your organization necessitates the purchase of Azure AD Premium P1 or higher licenses for your users. Smart lockout settings cannot be customized for Azure China 21Vianet tenants.

 

Complete the following steps to check or modify your organization’s smart lockout values:

  1. Sign in to the Azure portal.
  2. Search for and select Azure Active Directory, then select SecurityAuthentication methods > Password protection.
  3. Set the Lockout threshold, based on how many failed sign-ins are allowed on an account before its first lockout.

The default is 10 for Azure Public tenants and 3 for Azure US Government tenants.

  1. Set the Lockout duration in seconds, to the length in seconds of each lockout.

The default is 60 seconds (one minute).

Professional Labs is the premier cloud managed service provider in Oman. Contact us for more information
Contact Us | Professional labs (prolabsit.com)