Azure AD Smart Lockout unlock capability for admins
I'm blown away by the lack of options once your account gets locked out by the Azure AD Smart Lockout feature. Not having the ability to monitor the account lockout duration or have the option to unlock an account using this feature is insane.
Mirza Dedic commented
Completely unproductive if we admins cannot unlock the account for the user, this is a huge PITA.
Ryan W commented
Although we are still waiting for a way to unlock, I have found that filtering the Azure AD sign in logs to only show failure code 50053 ("Account is locked because user tried to sign in too many times with an incorrect user ID or password.") should show you who has been recently locked out. Most of these for us were from Exchange Online Basic Auth connections so it shows the value of moving to Modern Auth only.
Rebecca Thayer commented
I completely agree with Alex. Smart Lockout is an anti-productivity tool.
Ryan W commented
Seems to be an acknowledged limitation and SSPR is the only workaround:
"Currently, an administrator can't unlock the users' cloud accounts if they have been locked out by the Smart Lockout capability. The administrator must wait for the lockout duration to expire. However, the user can unlock by using self-service password reset (SSPR) from a trusted device or location." (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout)
Andrew Thompson commented
Any update on this? This is a real pain...
Taylor Bogle commented
Agreed. This leaves you vulnerable to Denial of Service attacks with no good way to recover.
Rich Ivey commented
I agree 100%. To not be able to unlock a user account as a Global Administrator is unacceptable. Standard users expect us to be able to take care of something like this immediately. I had a user locked out of Skype Online when he needed to be on a Skype Online call with a client presenting a proposal on-screen. This need to be fixed with an unlock option for admins!