Do we have any apis to know the lock state of the user and to know whether the user is blocked?

Laxmi Prasanna 96 Reputation points
2020-02-12T09:35:17.54+00:00

In the azure portal we were able to block the sign in AD user. Do we also have any scenario where the user gets locked? If yes is there any api that we can hit to know whether the user is locked or blocked. It would be very helpful if we can get any information on this.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,471 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-02-12T10:41:39.91+00:00

    @Laxmi Prasanna
    When we toggle Block sign in option to 'Yes', it basically changes the value of AccountEnabled attribute to False. You can check this via Graph API (https://developer.microsoft.com/en-us/graph/graph-explorer)

    1. Login to graph explorer with Global Admin account by clicking on "Sign in with Microsoft" button.
    2. Make a GET call > https://graph.microsoft.com/beta/users/USERNAME@YOUR_TENANT.onmicrosoft.com?$select=accountEnabled
    3. If you want to fetch this information about all users in your tenant, use > https://graph.microsoft.com/beta/users?$select=displayname,accountEnabled

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-02-12T10:36:43.087+00:00

    @Laxmi Prasanna , There is no account lockout concept in a complete Managed Domain scenario, i.e in case you have your all cloud users, then AAD, is the authority that handles your authentication. In this case, there is nothing called Account Lockout. If a cloud only user makes bad password attempts, the Smart Lockout feature engages and forbades the user from making further attempt to login. It governs the lockdown period based on its algorithm. You can read more on this here.

    In case you have a hybrid scenario, where the authentication happens in your On-Prem Domain Controllers, then your On-Prem DCs are govern the bad password attempts being made by the user during authentication. The lockouts happen based on the Account Lockout Group Policies that are deployed in your domain and the lock and unlock status of the user can only be found in your On-Prem AD and not in AAD.

    Hope this helps.