ID-05: Configure Smart Lockout Protection
Overview
Smart lockout protects accounts from password spray and brute-force attacks by locking out sign-in attempts after too many failures, while still letting legitimate users in. This guide walks you through enabling smart lockout, setting a strict lockout threshold and duration, and configuring a custom banned password list to reject organization-specific weak passwords.
Why This Matters: Password spray attacks try common passwords across many accounts. Smart lockout detects these patterns and blocks attackers while allowing legitimate users to authenticate. Weak settings leave you vulnerable.
Control ID: ID-05 Category: Identity & Authentication Baseline Level: Level 1 (Recommended Secure) Severity: Low License Required: None Remediation: Advisory / manual (configured in the Entra admin center)
Expected State
- Smart lockout is enabled with appropriate thresholds
- Lockout threshold is 5 or fewer failed attempts
- Custom banned password list is configured
How Smart Lockout Works
Smart lockout tracks failed sign-in attempts and locks the account for a period once the threshold is reached. It is intelligent about the source:
- It distinguishes familiar sign-in locations from unfamiliar ones, so an attacker spraying from a new location is locked out faster than the real user
- The same wrong password entered repeatedly counts as a single failed attempt (it does not needlessly burn the counter)
- Lockout duration increases if failed attempts continue after the first lockout
Smart lockout is enabled by default in Microsoft Entra ID, but the default threshold and duration should be tightened to meet this control.
Prerequisites
Required Roles
- Global Administrator or Authentication Policy Administrator - to configure password protection and smart lockout
License Requirements
| Feature | License |
|---|---|
| Smart lockout (cloud) | Free (included with Entra ID) |
| Global banned password list | Free (included with Entra ID) |
| Custom banned password list | Microsoft Entra ID P1 or P2 |
| Password protection for on-premises AD | Microsoft Entra ID P1 or P2 |
Note: The core smart lockout control requires no license. The optional custom banned password list requires Entra ID P1. If you do not have P1, you still meet the primary lockout requirements and benefit from Microsoft's global banned list, which is free.
Pre-Checks
- Confirm which admin will make the change (Global Administrator or Authentication Policy Administrator)
- If configuring a custom banned password list, verify you have Entra ID P1 or P2
- For hybrid environments, identify on-premises domain controllers for later agent deployment
Time Estimate
| Task | Duration |
|---|---|
| Configure smart lockout threshold and duration | 15 minutes |
| Compile and configure custom banned password list | 30-60 minutes |
| Testing | 30 minutes |
Total: About 1-2 hours (mostly banned-list compilation and testing)
Step-by-Step Instructions
Step 1: Open Password Protection Settings
Navigation: Entra admin center > Protection > Authentication methods > Password protection
- Sign in to the Microsoft Entra admin center
- Navigate to Protection > Authentication methods
- Click Password protection
Smart lockout and the banned password lists are configured on this page.
Step 2: Set the Lockout Threshold
Under Custom smart lockout:
- Lockout threshold: Set to 5 (or fewer) failed sign-in attempts before the account is locked out
- The default is 10; this control requires 5 or fewer
- A lower threshold stops password spray sooner
- Smart lockout tracks failures per unfamiliar location, so a strict threshold does not typically lock out the legitimate user who mistypes their own password a couple of times
Step 3: Set the Lockout Duration
Still under Custom smart lockout:
-
Lockout duration in seconds: Set to 60 seconds or more
- 60 seconds is the minimum; the duration automatically increases as repeated lockouts occur
- A longer initial duration slows an attacker further at the cost of a short wait for a genuinely locked-out user
-
Click Save
Cloud smart lockout settings take effect immediately.
Step 4: Configure a Custom Banned Password List
The global banned list already blocks 3,000+ common weak passwords. Add a custom list to block terms unique to your organization that attackers would try (company name, product names, locations).
Under Custom banned passwords:
- Enforce custom list: Set to Yes
- Custom banned password list: Enter your organization-specific terms, one per line
Guidelines:
- Use base words only - Entra ID automatically blocks common variations and character substitutions (
contosoalso blocksC0nt0so,Contoso1!,Contoso2024) - Terms must be at least 4 characters; shorter terms are ignored
- You can add up to 1,000 terms
Example list:
contoso
fabrikam
widgetpro
seattlehq
projectalpha
headquarters
welcomenew
- Click Save
The custom banned password list requires Entra ID P1. If you do not have P1, skip this step - smart lockout and the free global banned list still satisfy the core protections.
Step 5: (Hybrid Only) Extend Protection to On-Premises AD
If you have on-premises Active Directory, deploy the Microsoft Entra Password Protection agents so smart lockout and banned passwords also apply to on-premises password changes.
-
Download the Microsoft Entra Password Protection Proxy and DC Agent installers from the Microsoft Download Center (ID 57071)
-
Install the Proxy Service on 2+ member servers, then register it:
Import-Module AzureADPasswordProtection Register-AzureADPasswordProtectionProxy -AccountUpn admin@yourdomain.com -
Install the DC Agent on each domain controller and reboot
-
Register the forest (once):
Register-AzureADPasswordProtectionForest -AccountUpn admin@yourdomain.com -
Start on-premises enforcement in Audit mode, verify behavior in the DC Agent event logs, then switch Mode to Enforced.
Verification Checklist
- Smart lockout is enabled
- Lockout threshold is set to 5 or fewer failed attempts
- Lockout duration is set to 60 seconds or more
- Custom banned password list is configured and enforced (if P1 licensed)
- Cloud password/sign-in behavior tested (locked out after threshold; banned terms rejected)
- On-premises agents installed and in Enforced mode (hybrid environments only)
Troubleshooting
Lockout Threshold Not Taking Effect
Problem: Accounts are not locking out at the expected count.
Solutions:
- Verify the threshold is saved on Password protection and set to 5 or fewer
- Remember that repeating the same wrong password counts as one failed attempt
- Smart lockout adapts to familiar vs unfamiliar locations, so behavior differs by sign-in source
- Allow a few minutes for settings to propagate
Legitimate User Repeatedly Locked Out
Problem: A real user hits lockout frequently.
Solutions:
- Check for a device or app caching an old password and retrying it (mobile mail clients are common culprits)
- Have the user update the cached credential on every device
- Confirm the account is not being targeted by a password spray (review sign-in logs)
Custom Banned List Not Blocking Passwords
Problem: Users can still set passwords containing banned terms.
Solutions:
- Verify Enforce custom list is set to Yes
- Confirm the term is at least 4 characters
- Verify an Entra ID P1/P2 license is active (custom lists require P1)
- Allow 15-30 minutes for propagation
On-Premises Passwords Not Being Blocked
Problem: AD password changes bypass the policy.
Solutions:
- Verify the DC Agent is running on all domain controllers:
Get-Service AzureADPasswordProtectionDCAgent - Confirm Mode is set to Enforced, not Audit
- Verify the Proxy Service is running and registered:
Get-AzureADPasswordProtectionProxy - Confirm forest registration completed
Cost Considerations
| Feature | License | Cost |
|---|---|---|
| Smart lockout | Free | $0 |
| Global banned password list | Free | $0 |
| Custom banned password list | Entra ID P1 | ~$6/user/month (often already owned) |
| On-premises password protection | Entra ID P1 | Included with P1 |
The core control (smart lockout) has no license cost. If you already own P1 for Conditional Access or PIM, the custom banned list is included at no extra charge.
Best Practices
- Set the threshold to 5 (or lower) rather than the default of 10 to stop password spray earlier
- Keep the lockout duration at 60 seconds or more; it escalates automatically under sustained attack
- Maintain the custom banned list quarterly, adding new brand, product, and location terms after acquisitions or rebrands
- Pair smart lockout with MFA (ID-01/CA-01) and block legacy authentication (ID-02), since legacy protocols can bypass modern protections
Related Controls
- ID-01: User MFA Registration - MFA blocks account takeover even when a password is guessed
- ID-02: Block Legacy Authentication - Legacy protocols can bypass smart lockout; block them
- ID-04: Require Phishing-Resistant MFA for All Users - Removes password-based attack vectors entirely
- PA-02: Use Dedicated Admin Accounts - Isolate privileged accounts that most need lockout protection