Description:

The 'Lockout duration in seconds' setting defines how long an account remains locked after exceeding the account lockout threshold. This duration is crucial for account protection as it helps prevent brute-force attacks and excessive login attempts on a compromised account. By setting the lockout duration to 60 seconds or more, you ensure that users have enough time to safely recover from temporary lockouts while also providing a reasonable deterrent against continuous failed attempts.

If the lockout duration is too short, attackers might bypass the lockout by quickly retrying their guesses. If the duration is too long, legitimate users could be inconvenienced.

Rationale:

By ensuring that the lockout duration is at least 60 seconds, you:

  • Reduce the likelihood of successful brute-force attacks by forcing attackers to wait before attempting to guess passwords again.

  • Protect against rapid guessing attacks: If the lockout duration is too short, attackers may continuously try different passwords without meaningful delay.

  • Improve user experience: A lockout duration of 60 seconds provides a reasonable window for users to recover from failed login attempts while preventing malicious users from attempting to bypass the system too quickly.

Impact:

Setting the lockout duration to 60 seconds:

  • Increases security by introducing a delay that makes brute-force attacks less effective.

  • Reduces the chances of unauthorized login attempts within a short window of time.

  • Slightly impacts user experience as legitimate users will have to wait 60 seconds (or more) after exceeding the lockout threshold. However, this is a trade-off for increased security.

Default Value:

By default, Azure AD does not enforce a specific lockout duration, and it is typically configured to 60 seconds or longer for password resets or lockout scenarios, but this needs to be manually verified or adjusted as part of your security practices.

Pre-requisites:

  • Azure subscription with Microsoft Entra ID (Azure AD) configured.

  • Global Administrator or Security Administrator role permissions to configure lockout settings.

  • Access to Azure AD Authentication settings to modify lockout policies.

Audit:

  1. Sign in to Azure portal as a Global Administrator or Security Administrator.

  2. Navigate to Microsoft Entra ID > Security > Authentication methods.

  3. Verify that the 'Lockout duration in seconds' setting is configured to 60 or more seconds.

Implementation Steps (Manual):

  1. Sign in to Azure portal:

    • Use an account with Global Administrator or Security Administrator permissions.

  2. Navigate to Microsoft Entra ID (Azure AD):

    • In the Azure portal, go to Azure Active Directory.

  3. Go to Authentication Methods:

    • Under Security, select Authentication methods.

  4. Configure the Account Lockout Settings:

    • In the Authentication methods pane, locate the account lockout settings.

    • Set the 'Lockout duration in seconds' to 60 or more.

  5. Configure Other Lockout Settings:

    • Review other related settings such as lockout threshold (number of failed attempts before locking the account) and reset counter period (time window in which failed attempts are counted). A recommended configuration could be:
                    Lockout threshold: 10 failed attempts

      • Lockout duration: 60 seconds

      • Reset counter period: 15 minutes

  6. Save the Configuration:

    • After setting the 'Lockout duration in seconds' to 60 or more, click Save to apply the changes.

  7. Verify the Lockout Duration:

    • After saving the configuration, test the setting by attempting to log in with incorrect credentials multiple times, ensuring the account is locked and the user is required to wait at least 60 seconds before trying again.

  8. Communicate to Users:

    • Inform users that the account lockout duration has been set to 60 seconds to ensure they understand the reason behind the new policy and avoid frustration with temporary lockouts.

  9. Monitor and Review:

    • Use Azure AD logs to monitor failed sign-in attempts and account lockouts to ensure that the new configuration is working as expected.

    • Set up alerts in Azure Monitor for any significant spikes in account lockouts.

Backout Plan (Manual):

  1. Sign in to Azure portal:

    • Use an account with Global Administrator or Security Administrator permissions.

  2. Navigate to Microsoft Entra ID (Azure AD):

    • Go to Azure Active Directory > Security > Authentication methods.

  3. Revert the Lockout Duration:

    • In the Authentication methods pane, locate the 'Lockout duration in seconds' setting and set it back to a shorter duration (or the default value, if needed).

  4. Save the Configuration:

    • Click Save to apply the changes.

  5. Test the Reverted Configuration:

    • Attempt to log in with invalid credentials and confirm that the new lockout duration has been reverted.

  6. Verify the Change:

    • Test to ensure that the lockout duration is now set to the desired value, and that the user experience is consistent with the changes.

References: