What are the Microsoft Entra MFA account lockout settings?

Body

Overview

Accounts in Microsoft Entra ID (formerly Azure AD) which have Entra Multi-Factor Authentication (MFA) enabled, are subject to these Entra MFA Account Lockout settings:

  • Number of MFA denials to trigger account lockout: 3 denials
  • Minutes until account lockout counter is reset: 5 minutes
  • Minutes until account is automatically unblocked: 15 minutes

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings#account-lockout

Note: This setting does not affect Duo MFA protected accounts.

 

Warning

Users can block access to their own accounts separate from the lockout settings. An explicit Entra MFA block will be set for 90 days and must be administratively unblocked.