According to the Microsoft SC-300: Identity and Access Administrator Official Study Guide and Microsoft Learn module “Configure Azure AD Multi-Factor Authentication settings”, the Account Lockout settings in Azure AD MFA define how the service reacts to repeated failed MFA verification attempts.
From the exhibit:
Number of MFA denials to trigger account lockout: 3
Minutes until account lockout counter is reset: 60
Minutes until account is automatically unblocked: 30
1. Lockout trigger type:
The lockout applies to MFA denials — specifically, failed verification attempts using methods such as the Microsoft Authenticator app (OTP code) or phone call verification. It does not apply to incorrect usernames or passwords, as those are handled by Azure AD sign-in risk policies.
The official Microsoft documentation states:
“Account lockout in Azure AD Multi-Factor Authentication occurs after the configured number of denied MFA verification attempts. This setting applies to users entering an incorrect PIN or app verification code.”
Therefore, after three incorrect Microsoft Authenticator app codes, the account is temporarily locked.
2. Lockout duration:
The setting “Minutes until account is automatically unblocked: 30” means that once an account is locked due to too many failed MFA attempts, it will automatically unlock after 30 minutes without administrator intervention.
This aligns with Microsoft’s MFA service behavior:
“When the account lockout threshold is reached, the account remains locked for the configured duration before being automatically unlocked.”
✅ Final Correct Answers:
Wrong input type causing lockout: Microsoft Authenticator app code
Unlock duration: 30 minutes
