Home
IT Hub
Understanding Session Lockout Policies in Microsoft Entra ID

Understanding Session Lockout Policies in Microsoft Entra ID

Microsoft
Reco Security Experts
Updated
August 6, 2024
August 6, 2024

Entra ID is a critical service for which Microsoft provides a cloud-based identity and access management solution. As organizations increasingly migrate to cloud-based services, user accounts and data security become paramount. One of the key security features within the Microsoft Entra ID is session lockout policies. These policies are crucial in mitigating unauthorized access risks and ensuring compliance with security standards. In this article, we will explore the concept of session lockout policies in the Microsoft Entra ID, their importance, configuration, and best practices for implementation.

What are Session Lockout Policies?

Session lockout policies in the Microsoft Entra ID are security mechanisms designed to prevent unauthorized access to user accounts by locking out a user after a specified number of failed login attempts. These policies are essential for protecting accounts against brute force attacks, where an attacker attempts to gain access by trying multiple password combinations.

Key Components of Session Lockout Policies

  1. Lockout Threshold: This is the number of failed login attempts allowed before an account is locked. Setting an appropriate threshold is crucial to balance security and user convenience.
  2. Lockout Duration: This determines how long an account remains locked after reaching the lockout threshold. The duration should be set to deter attackers while minimizing disruption to legitimate users.
  3. Observation Window: This is the time frame within which the failed login attempts are counted. For instance, if the observation window is 15 minutes and the lockout threshold is 5 attempts, the account will be locked after 5 failed attempts within 15 minutes.
  4. Reset Mechanism: This defines how and when the lockout counter is reset. It could be based on a specific period or require administrative intervention.

Importance of Session Lockout Policies

Session lockout policies are vital for several reasons:

  1. Protection Against Brute Force Attacks: By limiting the number of failed login attempts, these policies significantly reduce the chances of attackers successfully guessing passwords.
  2. Compliance and Regulatory Requirements: Many regulatory frameworks, such as GDPR, HIPAA, and PCI-DSS, mandate implementing account lockout policies to protect sensitive data.
  3. Enhanced Security Posture: Lockout policies add an additional layer of security, complementing other measures like multi-factor authentication (MFA) and conditional access policies.
  4. User Account Safety: They help safeguard user accounts from unauthorized access, protecting personal and organizational data.

Configuring Session Lockout Policies in Microsoft Entra ID

Microsoft Entra ID provides flexibility in configuring session lockout policies to meet an organization's needs. Here's a step-by-step guide to setting up these policies:

Step 1: Accessing Microsoft Entra ID

  1. Sign in to the [ Microsoft Entra ID Portal](https://portal.entra.com).
  2. Navigate to " Microsoft Entra ID " from the left-hand menu.

This screenshot shows the Microsoft Entra ID admin portal.

 

Step 2: Setting Up Conditional Access Policies

Conditional access policies in the Microsoft Entra ID allow administrators to define specific conditions under which users can access resources. While these policies are not the same as session lockout policies, they work together to enhance security.

  1. Go to "Security" and then "Conditional Access."
  2. Click "New policy" to create a new conditional access policy.
  3. Define the policy's conditions, such as user groups, devices, locations, and applications.

Steps:

  • Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  • Browse to Protection > Conditional Access, select + New policy, and then select Create new policy.

This screenshot shows the Conditional Access policy in the Microsoft Entra ID showing Session Lockout Policies.

  • Enter a name for the policy, such as MFA Pilot.
  • Under Assignments, select the current value under Users or workload identities

The above screenshot shows how to select the current value in user or workload identities in the Microsoft Entra ID Lockout Policies.

The screenshot shows users and groups selected to create policy in the Lockout Policies of the Microsoft Entra ID.

This image shows that the MFA test policy is selected in the Lockout Policy of the Microsoft Entra ID.

This screenshot shows that the MFA test policy is granted or blocked for users in the Lockout Policy of the Microsoft Entra ID.

This Screenshot shows MFA test policy is selected to require MFA authentication for session lockout policies in the Microsoft Entra ID. 

This screenshot shows clicking “On” to activate the policy in Lockout Policies of the Microsoft Entra ID.

Step 3: Configuring Lockout Settings

  1. In the Microsoft Entra ID portal, navigate to "Security" and "Authentication methods."
  2. Select "Password protection."
  3. Configure the following settings:
    • Lockout threshold: Specify the number of failed attempts before an account is locked.
    • Lockout duration: Define the duration for which the account will remain locked.

Step 4: Monitoring and Adjusting Policies

  1. Regularly monitor the effectiveness of your lockout policies using the Microsoft Entra ID reports and analytics.
  2. Adjust the lockout threshold and duration based on observed attack patterns and user feedback.

Best Practices for Implementing Session Lockout Policies

Implementing effective session lockout policies requires a balance between security and usability. Here are some best practices to consider:

1. Set a Reasonable Lockout Threshold

A very low threshold might result in legitimate users being locked out frequently, causing frustration and potential disruption to business operations. Conversely, a high threshold might not provide adequate security. Typically, a threshold of 5-10 failed attempts is considered reasonable.

2. Define an Appropriate Lockout Duration

The lockout duration should be long enough to deter attackers but short enough to minimize inconvenience for legitimate users. A duration of 15-30 minutes is generally effective.

 3. Use Multi-Factor Authentication (MFA)

MFA significantly enhances security by requiring users to provide additional verification factors. Combining MFA with lockout policies offers robust protection against unauthorized access.

4. Regularly Review and Adjust Policies

Monitor login attempts and lockout incidents to identify attack patterns and adjust your policies accordingly. Regular reviews help ensure that your lockout policies remain effective and relevant.

5. Educate Users

Ensure that users know the lockout policies and understand the importance of safeguarding their credentials. Provide a guide on creating strong passwords and recognizing phishing attempts.

6. Implement Self-Service Password Reset (SSPR)

SSPR enables users to reset their passwords without administrative intervention, reducing the impact of account lockouts and improving user experience.

7. Use Conditional Access Policies

Leverage conditional access policies to enforce stricter controls based on user risk levels, device compliance, and other factors. This adds an additional layer of security and helps mitigate risks.

Conclusion 

Session lockout policies in the Microsoft Entra ID are a critical component of an organization’s security strategy. By preventing unauthorized access through brute force attacks, these policies help protect sensitive data and ensure compliance with regulatory requirements.

Implementing effective lockout policies requires careful consideration of various factors, including the lockout threshold, duration, and observation window. Organizations can strike the right balance between security and usability by following best practices and continuously monitoring and adjusting policies.

Securing Your Salesforce API Integrations
you have been hired as a Salesforce Administrator at a new health company. Your job is to help them streamline their lead and case management systems. Hence, you must be able to integrate other systems with their Salesforce so that lead generation and case receipt can be better managed. How do you do this?
A Guide to GitHub Security APIs for Enhancing Repository Security
GitHub is one of the most widely used platforms for collaborative software development, with millions of developers contributing to open-source projects. With this immense growth, the potential risks associated with code vulnerabilities also increase, making security management an indispensable part of the development process.
Troubleshooting "550 Permanent Failure for One or More Recipients" Error in Google Workspace
Google Workspace, like all other email service providers, uses a Simple Mail Transfer Protocol (SMTP) to exchange messages with other servers. SMTP uses a standardized set of reply codes described in RFC 5321, where error code 550 means “Requested action not taken: mailbox unavailable.” 
Get the Latest SaaS Security Insights
Subscribe to receive weekly updates, the latest attacks, and new trends in SaaS Security
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Explore More
Securing Your Salesforce API Integrations
you have been hired as a Salesforce Administrator at a new health company. Your job is to help them streamline their lead and case management systems. Hence, you must be able to integrate other systems with their Salesforce so that lead generation and case receipt can be better managed. How do you do this?
A Guide to GitHub Security APIs for Enhancing Repository Security
GitHub is one of the most widely used platforms for collaborative software development, with millions of developers contributing to open-source projects. With this immense growth, the potential risks associated with code vulnerabilities also increase, making security management an indispensable part of the development process.
Troubleshooting "550 Permanent Failure for One or More Recipients" Error in Google Workspace
Google Workspace, like all other email service providers, uses a Simple Mail Transfer Protocol (SMTP) to exchange messages with other servers. SMTP uses a standardized set of reply codes described in RFC 5321, where error code 550 means “Requested action not taken: mailbox unavailable.” 
See more articles from our Hub

Start Securing Your Entire SaaS Lifecycle

Request a demo