Unit 7: Configure Smart Lockout Thresholds
What is Smart Lockout
Smart lockout helps protect accounts from brute-force and password guessing attacks while reducing impact to legitimate users.
Default behavior:
- After 10 failed sign-in attempts, the account is locked for 1 minute.
- Each subsequent failed attempt locks the account again, first for 1 minute, then for longer periods.
- Microsoft does not publish the growth rate of lockout duration.
Smart lockout also:
- Tracks the last three bad-password hashes so repeated attempts with the same wrong password do not increment the counter.
Federated deployments:
- AD FS 2016 and 2019 support similar features with Extranet Lockout and Extranet Smart Lockout.
Smart lockout is:
- Always on for all Microsoft Entra ID customers with default settings.
- Customization (threshold and duration) requires Microsoft Entra ID Premium P1 or higher.
Behavior and Considerations
- There is no guarantee that a genuine user is never locked out, but the system tries to favor the legitimate user.
- Each Entra data center tracks lockouts independently.
- Users effectively have (threshold × number of data centers) attempts if they hit multiple data centers.
- Smart lockout maintains separate counters for familiar and unfamiliar locations.
- Smart lockout works with password hash sync or pass-through authentication to protect on-prem AD DS from remote attacks.
🧪 Example
- Lockout threshold = 10
- User hits Data Center A → 10 bad attempts → locked out
- Later hits Data Center B → fresh counter → 10 more attempts
But this only happens if the user’s traffic is routed differently—not from a single bad password attempt.
Pass-Through Authentication Considerations
Configuration guidelines:
- Entra lockout threshold must be lower than AD DS lockout threshold.
- Example: Entra threshold = 5, on-prem AD threshold = 10.
- Entra lockout duration must be longer than AD DS lockout duration.
- Entra duration is in seconds.
- AD duration is in minutes.
Example:
- Entra lockout duration = 120 seconds (2 minutes).
- On-prem AD lockout duration = 1 minute (60 seconds).
- Entra lockout threshold = 5.
- On-prem AD lockout threshold = 10.
This ensures that smart lockout in Entra stops attacks before they lock out accounts in on-prem AD.
🔐 Why Entra Lockout Should Trigger First
✅ 1. Stops Attacks Before They Reach AD
- Entra acts as the first line of defense.
- If Smart Lockout in Entra triggers early (lower threshold), it blocks further login attempts before they’re forwarded to your on-prem AD.
- This protects your domain controllers from brute-force overload.
⏱️ Why Entra Lockout Should Last Longer
- If Entra lockout duration is longer than AD’s, it ensures:
- The attacker stays blocked at the cloud level.
- Even if AD unlocks sooner, Entra still holds the line.
- This prevents attackers from retrying through Entra and reaching AD again.
Example Scenario:
| Setting |
Entra |
AD DS |
| Lockout Threshold |
5 attempts |
10 attempts |
| Lockout Duration |
120 seconds |
60 seconds |
- Attacker tries 5 bad passwords → Entra locks out
- Entra stops forwarding requests to AD
- AD never reaches its threshold → no lockout for real user
- After 1 minute, AD unlocks—but Entra still blocks for another minute
✅ This gives legitimate users a chance to recover without being locked out on-prem.
Would you like a lab checklist to validate Smart Lockout behavior with PTA and simulate thresholds across Entra and AD?