iCompaas Support

Description:

The account lockout threshold is a security setting in Microsoft Entra ID (formerly Azure Active Directory) that determines the number of failed sign-in attempts a user can make before their account is temporarily locked. This setting helps protect against brute-force attacks by preventing attackers from repeatedly guessing passwords.

By setting the account lockout threshold to 10 or fewer failed attempts, organizations can significantly reduce the likelihood of successful brute-force attacks while still allowing users to attempt to sign in without unnecessarily locking them out after just a few failed tries.

Rationale:

Setting the account lockout threshold to 10 or fewer:

• Prevents brute-force attacks by limiting the number of incorrect sign-in attempts an attacker can make before the account is locked.
  

• Helps protect sensitive data by reducing the risk of unauthorized access attempts.
  

• Ensures user convenience by allowing a reasonable number of failed attempts before locking the account.
  

Impact:

Setting the account lockout threshold to 10 or fewer will:

• Increase security by reducing the opportunity for attackers to attempt to guess a user’s password.
  

• Slightly increase the likelihood of a legitimate user being locked out if they forget their password, but this is a trade-off for better protection against brute-force attacks.
  

• Help ensure compliance with best practices for password security and account protection.
  

Default Value:

By default, Microsoft Entra ID (Azure AD) may have a higher lockout threshold, which can be manually adjusted to suit the organization's security needs.

Pre-requisites:

• Azure subscription with Microsoft Entra ID (Azure AD) configured.
  

• Global Administrator or Security Administrator role permissions to configure lockout settings.
  

• Access to Azure AD security settings to modify account protection configurations.
  

Audit:

1. Sign in to Azure portal as a Global Administrator or Security Administrator.
   

2. Navigate to Microsoft Entra ID > Security > Authentication methods.
   

3. Ensure that the account lockout threshold is set to 10 or fewer failed attempts.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Security Administrator permissions.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • In the Azure portal, go to Azure Active Directory.
     

3. Go to Authentication Methods:
   

   • Under Security, select Authentication methods.
     

4. Modify the Account Lockout Settings:
   

   • In the Authentication methods pane, locate the account lockout settings.
     

   • Set the lockout threshold to 10 or fewer failed attempts.
     

5. Set Lockout Duration and Reset Period:
   

   • Along with the lockout threshold, consider configuring the lockout duration (how long the account remains locked) and the reset counter period (how long it takes for the failed attempt counter to reset). A common setup is:
     

     • Lockout threshold: 10 failed attempts
       

     • Lockout duration: 15 minutes
       

     • Reset counter period: 15 minutes
       

6. Save the Configuration:
   

   • After configuring the account lockout threshold, click Save to apply the changes.
     

7. Verify the Lockout Threshold Setting:
   

   • After saving the settings, test the configuration by intentionally entering incorrect credentials multiple times to ensure the account locks after the specified number of failed attempts.
     

   • Monitor for any lockout incidents or alerts that indicate users are being locked out due to excessive failed attempts.
     

8. Communicate to Users:
   

   • Notify users about the new account lockout threshold and encourage them to ensure their password management practices are secure to avoid accidental lockouts.
     

9. Monitor and Review:
   

   • Use Azure AD sign-in logs to monitor for any unauthorized or failed login attempts and confirm that the lockout policy is working as intended.
     

   • Set up alerts for account lockout events to notify administrators when users are being locked out due to multiple failed sign-ins.
     

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Security Administrator permissions.
     

2. Navigate to Microsoft Entra ID (Azure AD):
   

   • Go to Azure Active Directory > Security > Authentication methods.
     

3. Revert the Lockout Threshold:
   

   • In the Authentication methods pane, change the lockout threshold back to a higher value (if necessary) or revert to the default settings.
     

4. Save the Configuration:
   

   • Click Save to apply the changes and restore the previous lockout threshold settings.
     

5. Verify the Backout Configuration:
   

   • After applying the changes, test the configuration to ensure that the lockout threshold has been reverted and that the previous behavior is restored.
     

6. Test the Reverted Configuration:
   

   • Perform tests by intentionally entering incorrect login credentials and verify that the new lockout threshold has been restored.
     

References:

• Azure AD - Account Lockout Settings
  

• Azure AD Authentication Methods
  Azure AD Security and Authentication Best Practices