The Azure Excessive Account Lockouts detection rule assesses the activity in Microsoft Entra ID environments to identify a pattern of excessive account lockouts due to failed sign-in attempts. This pattern is indicative of potential brute-force attacks, such as password spraying, credential stuffing, or password guessing. The rule is triggered when the number of failed sign-in attempts results in an error code 50053, which indicates the account has been locked after too many incorrect login attempts. The rule monitors the Azure Audit logs and looks for authentication failures recorded over a specified timeframe (60 minutes) following a threshold of 20 failed attempts. It employs a runbook that instructs analysts to investigate the source of the failed login attempts, including the caller’s IP address and user agent string, which may reveal the use of automated attack tools. This rule supports defense strategies against unauthorized access and raises alerts to security personnel when unusual activity suggesting credential compromise is detected.