ID-05: Configure Smart Lockout Protection

Overview

Smart lockout protects accounts from password spray and brute-force attacks by locking out sign-in attempts after too many failures, while still letting legitimate users in. This guide walks you through enabling smart lockout, setting a strict lockout threshold and duration, and configuring a custom banned password list to reject organization-specific weak passwords.

Why This Matters: Password spray attacks try common passwords across many accounts. Smart lockout detects these patterns and blocks attackers while allowing legitimate users to authenticate. Weak settings leave you vulnerable.

Control ID: ID-05 Category: Identity & Authentication Baseline Level: Level 1 (Recommended Secure) Severity: Low License Required: None Remediation: Advisory / manual (configured in the Entra admin center)

Expected State

  • Smart lockout is enabled with appropriate thresholds
  • Lockout threshold is 5 or fewer failed attempts
  • Custom banned password list is configured

How Smart Lockout Works

Smart lockout tracks failed sign-in attempts and locks the account for a period once the threshold is reached. It is intelligent about the source:

  • It distinguishes familiar sign-in locations from unfamiliar ones, so an attacker spraying from a new location is locked out faster than the real user
  • The same wrong password entered repeatedly counts as a single failed attempt (it does not needlessly burn the counter)
  • Lockout duration increases if failed attempts continue after the first lockout

Smart lockout is enabled by default in Microsoft Entra ID, but the default threshold and duration should be tightened to meet this control.

Prerequisites

Required Roles

  • Global Administrator or Authentication Policy Administrator - to configure password protection and smart lockout

License Requirements

FeatureLicense
Smart lockout (cloud)Free (included with Entra ID)
Global banned password listFree (included with Entra ID)
Custom banned password listMicrosoft Entra ID P1 or P2
Password protection for on-premises ADMicrosoft Entra ID P1 or P2

Note: The core smart lockout control requires no license. The optional custom banned password list requires Entra ID P1. If you do not have P1, you still meet the primary lockout requirements and benefit from Microsoft's global banned list, which is free.

Pre-Checks

  1. Confirm which admin will make the change (Global Administrator or Authentication Policy Administrator)
  2. If configuring a custom banned password list, verify you have Entra ID P1 or P2
  3. For hybrid environments, identify on-premises domain controllers for later agent deployment

Time Estimate

TaskDuration
Configure smart lockout threshold and duration15 minutes
Compile and configure custom banned password list30-60 minutes
Testing30 minutes

Total: About 1-2 hours (mostly banned-list compilation and testing)

Step-by-Step Instructions

Step 1: Open Password Protection Settings

Navigation: Entra admin center > Protection > Authentication methods > Password protection

  1. Sign in to the Microsoft Entra admin center
  2. Navigate to Protection > Authentication methods
  3. Click Password protection

Smart lockout and the banned password lists are configured on this page.

Step 2: Set the Lockout Threshold

Under Custom smart lockout:

  1. Lockout threshold: Set to 5 (or fewer) failed sign-in attempts before the account is locked out
    • The default is 10; this control requires 5 or fewer
    • A lower threshold stops password spray sooner
  2. Smart lockout tracks failures per unfamiliar location, so a strict threshold does not typically lock out the legitimate user who mistypes their own password a couple of times

Step 3: Set the Lockout Duration

Still under Custom smart lockout:

  1. Lockout duration in seconds: Set to 60 seconds or more

    • 60 seconds is the minimum; the duration automatically increases as repeated lockouts occur
    • A longer initial duration slows an attacker further at the cost of a short wait for a genuinely locked-out user
  2. Click Save

Cloud smart lockout settings take effect immediately.

Step 4: Configure a Custom Banned Password List

The global banned list already blocks 3,000+ common weak passwords. Add a custom list to block terms unique to your organization that attackers would try (company name, product names, locations).

Under Custom banned passwords:

  1. Enforce custom list: Set to Yes
  2. Custom banned password list: Enter your organization-specific terms, one per line

Guidelines:

  • Use base words only - Entra ID automatically blocks common variations and character substitutions (contoso also blocks C0nt0so, Contoso1!, Contoso2024)
  • Terms must be at least 4 characters; shorter terms are ignored
  • You can add up to 1,000 terms

Example list:

contoso
fabrikam
widgetpro
seattlehq
projectalpha
headquarters
welcomenew
  1. Click Save

The custom banned password list requires Entra ID P1. If you do not have P1, skip this step - smart lockout and the free global banned list still satisfy the core protections.

Step 5: (Hybrid Only) Extend Protection to On-Premises AD

If you have on-premises Active Directory, deploy the Microsoft Entra Password Protection agents so smart lockout and banned passwords also apply to on-premises password changes.

  1. Download the Microsoft Entra Password Protection Proxy and DC Agent installers from the Microsoft Download Center (ID 57071)

  2. Install the Proxy Service on 2+ member servers, then register it:

    Import-Module AzureADPasswordProtection
    Register-AzureADPasswordProtectionProxy -AccountUpn admin@yourdomain.com
    
  3. Install the DC Agent on each domain controller and reboot

  4. Register the forest (once):

    Register-AzureADPasswordProtectionForest -AccountUpn admin@yourdomain.com
    
  5. Start on-premises enforcement in Audit mode, verify behavior in the DC Agent event logs, then switch Mode to Enforced.

Verification Checklist

  • Smart lockout is enabled
  • Lockout threshold is set to 5 or fewer failed attempts
  • Lockout duration is set to 60 seconds or more
  • Custom banned password list is configured and enforced (if P1 licensed)
  • Cloud password/sign-in behavior tested (locked out after threshold; banned terms rejected)
  • On-premises agents installed and in Enforced mode (hybrid environments only)

Troubleshooting

Lockout Threshold Not Taking Effect

Problem: Accounts are not locking out at the expected count.

Solutions:

  1. Verify the threshold is saved on Password protection and set to 5 or fewer
  2. Remember that repeating the same wrong password counts as one failed attempt
  3. Smart lockout adapts to familiar vs unfamiliar locations, so behavior differs by sign-in source
  4. Allow a few minutes for settings to propagate

Legitimate User Repeatedly Locked Out

Problem: A real user hits lockout frequently.

Solutions:

  1. Check for a device or app caching an old password and retrying it (mobile mail clients are common culprits)
  2. Have the user update the cached credential on every device
  3. Confirm the account is not being targeted by a password spray (review sign-in logs)

Custom Banned List Not Blocking Passwords

Problem: Users can still set passwords containing banned terms.

Solutions:

  1. Verify Enforce custom list is set to Yes
  2. Confirm the term is at least 4 characters
  3. Verify an Entra ID P1/P2 license is active (custom lists require P1)
  4. Allow 15-30 minutes for propagation

On-Premises Passwords Not Being Blocked

Problem: AD password changes bypass the policy.

Solutions:

  1. Verify the DC Agent is running on all domain controllers: Get-Service AzureADPasswordProtectionDCAgent
  2. Confirm Mode is set to Enforced, not Audit
  3. Verify the Proxy Service is running and registered: Get-AzureADPasswordProtectionProxy
  4. Confirm forest registration completed

Cost Considerations

FeatureLicenseCost
Smart lockoutFree$0
Global banned password listFree$0
Custom banned password listEntra ID P1~$6/user/month (often already owned)
On-premises password protectionEntra ID P1Included with P1

The core control (smart lockout) has no license cost. If you already own P1 for Conditional Access or PIM, the custom banned list is included at no extra charge.

Best Practices

  • Set the threshold to 5 (or lower) rather than the default of 10 to stop password spray earlier
  • Keep the lockout duration at 60 seconds or more; it escalates automatically under sustained attack
  • Maintain the custom banned list quarterly, adding new brand, product, and location terms after acquisitions or rebrands
  • Pair smart lockout with MFA (ID-01/CA-01) and block legacy authentication (ID-02), since legacy protocols can bypass modern protections

Related Controls

Additional Resources