How can we improve Azure Active Directory?

← Azure Active Directory

Azure AD Smart Lockout unlock capability for admins

I'm blown away by the lack of options once your account gets locked out by the Azure AD Smart Lockout feature. Not having the ability to monitor the account lockout duration or have the option to unlock an account using this feature is insane.

66 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Alex Appleton shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

8 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Mark DePalma commented  ·   ·  Flag as inappropriate

    How do we not have this yet. Asking a use to do a full SSPR (if you even have it on) is crazy just to unlock an account.

  • Mirza Dedic commented  ·   ·  Flag as inappropriate

    Completely unproductive if we admins cannot unlock the account for the user, this is a huge PITA.

  • Ryan W commented  ·   ·  Flag as inappropriate

    Although we are still waiting for a way to unlock, I have found that filtering the Azure AD sign in logs to only show failure code 50053 ("Account is locked because user tried to sign in too many times with an incorrect user ID or password.") should show you who has been recently locked out. Most of these for us were from Exchange Online Basic Auth connections so it shows the value of moving to Modern Auth only.

    Thanks, Ryan.

  • Ryan W commented  ·   ·  Flag as inappropriate

    Seems to be an acknowledged limitation and SSPR is the only workaround:

    "Currently, an administrator can't unlock the users' cloud accounts if they have been locked out by the Smart Lockout capability. The administrator must wait for the lockout duration to expire. However, the user can unlock by using self-service password reset (SSPR) from a trusted device or location." (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout)

  • Rich Ivey commented  ·   ·  Flag as inappropriate

    I agree 100%. To not be able to unlock a user account as a Global Administrator is unacceptable. Standard users expect us to be able to take care of something like this immediately. I had a user locked out of Skype Online when he needed to be on a Skype Online call with a client presenting a proposal on-screen. This need to be fixed with an unlock option for admins!

Azure Active Directory: End user experiences

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice