Microsoft Intune service must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-267314	SRG-APP-000065-UEM-000036	MSIN-24-000140	SV-267314r1026042_rule	2024-10-04	1

Description
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account. Satisfies: FMT_SMF.1(2)b. Reference: PP-MDM-431028 Satisfies: SRG-APP-000065-UEM-000036, SRG-APP-000345-UEM-000218

ℹ️ Check
Verify Entra ID is configured to enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period. 1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. 2. Browse to Protection >> Authentication methods >> Password protection. 3. Verify the Lockout Threshold has been set to 3 and Lockout duration is set to 900 or more. If Entra ID is not configured to enforce the limit of three consecutive invalid login attempts with a lockout period of 15 minutes, this is a finding.

ℹ️ Check

Verify Entra ID is configured to enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period. 1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator. 2. Browse to Protection >> Authentication methods >> Password protection. 3. Verify the Lockout Threshold has been set to 3 and Lockout duration is set to 900 or more. If Entra ID is not configured to enforce the limit of three consecutive invalid login attempts with a lockout period of 15 minutes, this is a finding.

✔️ Fix
Intune administrator account authentication is managed by Entra ID. To configure account lockout settings, complete these steps: Required procedure: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout 1. Sign in to the Microsoft Entra admin center as at least an Authentication Administrator. 2. Browse to Protection >> Authentication methods >> Password protection. 3. Set the Lockout threshold to 3. The default is 10 for Azure Public tenants and 3 for Azure U.S. Government tenants. 4. Set the Lockout duration in seconds, to the length in seconds of each lockout. The default is 900 seconds (15 minutes). Note: If the first sign-in after a lockout period has expired also fails, the account locks out again. If an account locks repeatedly, the lockout duration increases. ================================ This can be viewed in the Entra ID audit logs. 1. Log in to the Entra ID tenant with GA permissions. 2. Scroll down to the Monitoring section and select "Audit Logs". 3. All events related to user creation, modification, etc., are shown.

✔️ Fix

Intune administrator account authentication is managed by Entra ID. To configure account lockout settings, complete these steps: Required procedure: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout 1. Sign in to the Microsoft Entra admin center as at least an Authentication Administrator. 2. Browse to Protection >> Authentication methods >> Password protection. 3. Set the Lockout threshold to 3. The default is 10 for Azure Public tenants and 3 for Azure U.S. Government tenants. 4. Set the Lockout duration in seconds, to the length in seconds of each lockout. The default is 900 seconds (15 minutes). Note: If the first sign-in after a lockout period has expired also fails, the account locks out again. If an account locks repeatedly, the lockout duration increases. ================================ This can be viewed in the Entra ID audit logs. 1. Log in to the Entra ID tenant with GA permissions. 2. Scroll down to the Monitoring section and select "Audit Logs". 3. All events related to user creation, modification, etc., are shown.