Unlock a User Account in Entra ID / Microsoft 365

Users in Entra ID (formerly Azure AD) can become unable to sign in for several distinct reasons that all get colloquially called "locked out":

• Smart lockout triggered by repeated bad password attempts — Entra ID temporarily blocks sign-ins from the offending source.
• Account disabled (accountEnabled = false) — often set by a lifecycle policy, HR offboarding automation, or a prior admin action.
• Risky user state in Identity Protection — Entra has flagged the account and is blocking sign-ins until risk is remediated.
• Password expired or MFA registration incomplete.

This recipe covers the standard unlock workflow an IT admin runs when a user (e.g. AlexW@contoso.onmicrosoft.com) calls the help desk saying they can't sign in. It walks through diagnosing the lockout cause, clearing it, and confirming the user can sign in again.

After completing this recipe you will have:

• Identified the specific reason the user cannot sign in (smart lockout, disabled account, risk state, or expired credential).
• Re-enabled the account and/or dismissed the risky-user state as appropriate.
• Optionally reset the password and issued a Temporary Access Pass (TAP) if the user has forgotten their credentials.
• Revoked existing refresh tokens so stale sessions on compromised devices cannot be reused.
• Confirmed with the user that sign-in succeeds.
• An audit trail entry in the Entra audit log showing who performed the unlock and when.

Verify the requester's identity before unlocking. Account-unlock social engineering is one of the most common help-desk attack vectors. Require a secondary verification channel (Teams video call, manager confirmation, or a pre-registered callback number) before clearing lockout or resetting a password.

• Do not dismiss risk without investigation. If Identity Protection flagged the user, check sign-in logs for suspicious IPs or impossible-travel events. Clearing risk blindly can leave an attacker with valid access.
• Revoke sessions after a password reset. A reset alone does not invalidate existing refresh tokens. Always run a session revocation if there is any suspicion of compromise.
• Smart lockout clears on its own. The default Entra smart-lockout duration is 60 seconds and scales with repeated bad attempts. There is no direct "unlock smart lockout" API — you reset the password or wait it out.
• Federated accounts (synced from on-premises AD) must be unlocked in on-prem AD, not in Entra. Check onPremisesSyncEnabled first.
• Privileged accounts (Global Admin, Privileged Role Admin) require extra scrutiny and should be unlocked by a second admin under the four-eyes principle.