Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
Why This Matters
Brute-force and password spray attacks rely on attackers repeatedly guessing passwords until they succeed. Setting your account lockout duration below 60 seconds gives attackers too many attempts in a short timeframe, significantly reducing the effectiveness of lockout as a defense. Conversely, setting it above 300 seconds can lock out legitimate users for too long, causing productivity loss.
What Aether365 Checks
This Aether365 check verifies that your Microsoft Entra ID password protection lockout duration is set to 60 seconds or greater. You can view this check in your Aether365 dashboard under the entra-id section.