Azure AD Smart Lockout unlock capability for admins
I'm blown away by the lack of options once your account gets locked out by the Azure AD Smart Lockout feature. Not having the ability to monitor the account lockout duration or have the option to unlock an account using this feature is insane.
There really should be a way for Global Admin and User Administrator to unlock a user. Waiting 30 minutes for it to unlock is simply insane
I wanted to chime in and offer what worked for me.
We run a hybrid environment -- on-prem domain controllers and azure.
I am not 100% sure on exactly what is required because I didn't get a chance to check after each step.
First, in the on-prem AD... the account was set to EXPIRE. I changed that back to never.
I then signed onto a local machine and was prompted to change the password.
I then logged into myprofile.microsoft.com and everything was good again in the world.
Good luck, just lost 2 hours of time I didn't have.
I would like to know what is behind the decision no to enable an option to have a report of locked accounts neither the option to unlock them.
Need this resolve ASAP.
Jakir Hussein commented
For an Account Locked out issue ticket to be resolved it normally would take 1 minute but very unfortunate to witness that we ended up waiting for more than hour to know how to unlock an account in Azure Active Directory. the alternative work around of resetting the password resulted in many more account lockout happening for the user due to new password not being updated on all the multiple devices.
Do not know why Microsoft engineering team missed out to have the unlock feature to unlock the account we we could do in Active Directory. Global Admins are literally suffering due to this limitation from Azure Active Directory. An immediate consideration and inclusion of this feature to unlock ad accounts by Global Admins would be appreciated.
DePalma, Mark commented
How do we not have this yet. Asking a use to do a full SSPR (if you even have it on) is crazy just to unlock an account.
Mirza Dedic commented
Completely unproductive if we admins cannot unlock the account for the user, this is a huge PITA.
Ryan W commented
Although we are still waiting for a way to unlock, I have found that filtering the Azure AD sign in logs to only show failure code 50053 ("Account is locked because user tried to sign in too many times with an incorrect user ID or password.") should show you who has been recently locked out. Most of these for us were from Exchange Online Basic Auth connections so it shows the value of moving to Modern Auth only.
Rebecca Thayer commented
I completely agree with Alex. Smart Lockout is an anti-productivity tool.
Ryan W commented
Seems to be an acknowledged limitation and SSPR is the only workaround:
"Currently, an administrator can't unlock the users' cloud accounts if they have been locked out by the Smart Lockout capability. The administrator must wait for the lockout duration to expire. However, the user can unlock by using self-service password reset (SSPR) from a trusted device or location." (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout)
Andrew Thompson commented
Any update on this? This is a real pain...
Taylor Bogle commented
Agreed. This leaves you vulnerable to Denial of Service attacks with no good way to recover.
Rich Ivey commented
I agree 100%. To not be able to unlock a user account as a Global Administrator is unacceptable. Standard users expect us to be able to take care of something like this immediately. I had a user locked out of Skype Online when he needed to be on a Skype Online call with a client presenting a proposal on-screen. This need to be fixed with an unlock option for admins!