Introduction
Passwords remain the most common method of authentication, but they are also one of the weakest links in security if not properly managed. Microsoft Entra ID provides built-in password protection features that help administrators enforce strong password policies, prevent common attack vectors, and reduce the risk of compromised accounts.
In this exercise, you’ll explore how to configure smart lockout settings and enforce a custom banned password list. These capabilities allow organizations to automate password strength requirements and defend against brute-force login attempts, ensuring a more secure identity environment.
Exercise - Perform basic Password Protection tasks
In this exercise you will explore the capabilities Microsoft Entra ID offers in protecting your password. You will see how you can automate and enforce a strong password,and use login restrictions to prevent password attacks.
Task 1 - View lock settings, and review duration and threshold values
- Open the Microsoft Entra admin center at https://entra.microsoft.com.
- Log in using the credentials for your tenant.
- From the menu on the left, select Protection submenu and then select Authentication methods.
Note - You could also search on Password protection in the search bar at the top. Select Password protection from the list.
Set the Custom smart lockout with the following values.

Set the Custom smart lockout with the following values.
| Field | Value | Description |
|---|---|---|
| Lockout threshold | 5 | Number of failed login attempts allowed before the account is locked. |
| Lockout duration | 30 | Duration (in seconds) that the account remains locked once the threshold is reached. |
Note - You can also configure a custom banned password list here.

- Set Enforce custom list to Yes.
- Enter the following values:
- Contoso
- London
- Widget
Lab Tip - Your lab is being performed for a company called Contoso, located in London, and it makes Widgets. By enter these three words you block them from being part or a whole of a password. - Set the value for Mode to Enforced.
- Select the Save item at the top of the screen.
Summary
This exercise demonstrated how to:
Access the Authentication methods → Password protection settings in Microsoft Entra.
Configure Custom smart lockout with a threshold of 5 failed attempts and a lockout duration of 30 seconds.
Create a custom banned password list (e.g., “Contoso,” “London,” “Widget”) to block weak or predictable passwords.
Set the Mode to “Enforced” so that these rules are actively applied to all users.
By applying these configurations, administrators can strengthen password policies and reduce exposure to password-based attacks.
Conclusion
Strong password protection is a cornerstone of identity security. With Microsoft Entra ID, administrators can go beyond basic complexity rules by implementing smart lockout policies and custom banned password lists. These measures ensure that users cannot rely on weak, predictable passwords and that repeated failed login attempts are automatically mitigated.
This exercise highlights how simple configuration changes can significantly improve organizational security posture, making password attacks far less effective.
Takeaway Points
Smart lockout automatically protects accounts from brute-force attacks.
Custom banned password lists prevent the use of predictable or company-related terms.
Setting the Mode to Enforced ensures policies are applied consistently across the tenant.
Even small adjustments in password policy can have a big impact on security resilience.
Top comments (0)