Default Settings - Password Rule Settings - Smart Lockout - Lockout threshold
How many failed sign-ins are allowed on an account before its first lockout. If the first sign-in after a lockout also fails, the account locks out again.
| Name | LockoutThreshold |
| Control | Default Settings - Password Rule Settings |
| Description | Define the password protection and Smart Lockout configurations that can be used to customize the tenant-wide and object-specific restrictions and allowed behavior |
| Severity | High |
How to fix
Details of configuration item
| Recommendation | Prevent attacks using smart lockout - Microsoft Entra ID - Microsoft Learn |
| Configuration | settings |
| Setting | `values |
| Recommended Value | is less than or equal to 10 |
| Default Value | 10 |
| Graph API Docs | directorySetting resource type - Microsoft Graph beta - Microsoft Learn |
| Graph Explorer | Open in Graph Explorer |
MITRE ATT&CK
| Tactic | Technique | Mitigation |
|---|---|---|
| TA0006 - Credential Access - Credential Access | T1110 - Brute Force | M1018 - User Account Management M1027 - Password Policies |