AAD – Smart Lockout (SL)
Azure AD Smart Lockout (SL) is a machine intelligence algorithm create to be able to distinguish between genuine users and attackers. It can recognize sign-in coming from valid users and threat them differently than ones of attackers and other unknown sources. The factors include past sign-in behaviour, user’s devices and browsers.
By default, smart lockout locks the account from sign-in attempts for one minute after ten failed attempts. The account locks again after each subsequent failed sign-in attempt, for one minute at first and longer in subsequent attempts. The lockout threshold is automatically adjusted.
Customization of the smart lockout settings, with values specific to your organization, requires Azure AD Basic or higher licenses for your users.
Smart lockout can be integrated with hybrid deployments, using password hash sync or pass-through authentication to protect on-premises Active Directory accounts from being locked out by attackers. By setting smart lockout policies in Azure AD appropriately, attacks can be filtered out before they reach on-premises Active Directory.
When using pass-through authentication, you need to make sure that:
- The Azure AD lockout threshold is less than the Active Directory account lockout threshold. Set the values so that the Active Directory account lockout threshold is at least two or three times longer than the Azure AD lockout threshold.
- The Azure AD lockout duration in seconds is longer than the Active Directory reset account lockout counter after duration minutes.
Verify on-premises account lockout policy
Currently an administrator can’t unlock the users’ cloud accounts if they have been locked out by the Smart Lockout capability. The administrator must wait for the lockout duration to expire.