Overview
Accounts in Microsoft Entra ID (formerly Azure AD) which have Entra Multi-Factor Authentication (MFA) enabled, are subject to these Entra MFA Account Lockout settings:
- Number of MFA denials to trigger account lockout: 3 denials
- Minutes until account lockout counter is reset: 5 minutes
- Minutes until account is automatically unblocked: 15 minutes
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#account-lockout
Note: This setting does not affect Duo MFA protected accounts.
Warning
Users can block access to their own accounts separate from the lockout settings. An explicit Entra MFA block will be set for 90 days and must be administratively unblocked.