People still obsess over password complexity.
Twelve characters. Special symbols. Rotation every 90 days.
And yet accounts still get compromised.
That’s because attackers don’t guess random passwords anymore. They guess human passwords.
That’s not a complexity problem. That’s a behaviour problem.
So instead of arguing about password rules, I push clients to focus on two things they already have in Microsoft 365:
Password Protection and Smart Lockout.
Quietly running. Often ignored. Rarely tuned.
Here’s what actually matters.
What is Entra ID Password Protection + Smart Lockout, really?
It’s not a password policy.
It’s a filter and a shield.
Password Protection stops users from choosing bad passwords in the first place.
It uses a global banned password list driven by Microsoft telemetry and blocks weak or common passwords automatically—no configuration required. [learn.microsoft.com]
On top of that, you can add your own banned terms. Company names. Locations. Products. The obvious stuff attackers try first.
Then there’s Smart Lockout.
This is what most people misunderstand.
It’s not “lock the account after X attempts”.
That’s old thinking.
Smart Lockout can distinguish between a real user fat-fingering a password and an attacker trying thousands of guesses. [learn.microsoft.com]
Same identity. Different treatment.
Attackers get blocked quickly.
Real users keep working.
That’s not a nicer lockout policy.
That’s a signal-driven control.
“But we already have account lockout on-prem.”
Exactly.
And that’s the problem.
Step-by-Step: Tune Password Protection and Smart Lockout
Portal only. No scripts. No excuses.
1. Open Password Protection settings
Go to:
Entra admin centre
→ Protection
→ Authentication methods
→ Password protection
This is the only place you need.
2. Add a custom banned password list
Add terms like:
- Company name variations
- Internal product names
- Common abbreviations
- Location names
These get evaluated alongside the global list and block weak variants automatically. [learn.microsoft.com]
Not just exact matches.
Variants.
That’s the key.
3. Review Smart Lockout threshold
Default is:
- Around 10 failed attempts before lockout [learn.microsoft.com]
Most SMBs never touch this.
My recommendation?
Lower it slightly only if you understand user behaviour.
Too low and you create support tickets.
Too high and you give attackers room to work.
You’re not tuning numbers.
You’re tuning friction.
4. Set lockout duration
Default starts short (around a minute) and increases with repeated attempts. [learn.microsoft.com]
That’s deliberate.
Short for users.
Painful for attackers.
If you override this, be careful.
Long lockouts punish users.
Short lockouts reward attackers.
5. Leave Smart Lockout on (always)
Important:
Smart Lockout is already enabled.
There’s nothing to “turn on”.
There’s only:
- Leaving it alone
- Or breaking it
6. Pair it with MFA (properly)
Password protection is not enough.
Microsoft is very clear on that.
Use it alongside MFA and Conditional Access. [learn.microsoft.com]
Otherwise you’re just slowing attackers down.
Not stopping them.
Why this actually changes behaviour
This is the part most MSPs miss.
These features don’t just block attacks.
They retrain users.
Bad password?
Rejected.
Repeated guessing?
Blocked.
Users learn quickly what works and what doesn’t.
No training session required.
No PDF sent out.
No awareness campaign.
The system corrects behaviour in real time.
“We’ll just educate users instead.”
You can.
Or you can enforce it once and let the platform do it forever.
Ask once. Enforce always.
Here’s the real win:
- Fewer compromised accounts
- Fewer lockout tickets
- Fewer “why is this happening?” calls
And importantly:
- Better outcomes with less effort
That’s the bit most people overlook.
Notice what’s missing?
No password complexity discussion.
No rotation debates.
No “special characters required”.
Because those don’t solve the real problem.
Attackers aren’t brute-forcing randomly anymore.
They’re spraying expected passwords across thousands of accounts.
Password Protection removes the obvious targets.
Smart Lockout kills the attack path.
Different layers.
Same outcome.
Passwords aren’t going away.
But weak passwords should.
And repeated guessing definitely should.
Password Protection isn’t there to make passwords stronger.
It’s there to make bad passwords impossible.

