Cant login to Azure portal - It says account locked out but it also shows as Signed in

Chandra Prakash Matam 21 Reputation points
2023-04-25T17:56:58.1266667+00:00

1.       Issue: The user was able to log in to "portal.azure.com". As soon as the user logs in, the user gets a message that "Your account has been locked. Contact your support person to unlock it, then try again". the weird part is - it shows as Signed in, see attached image below azure login error

 2. With the same Azure credentials user was able to log in to Apps like Power Bi, Azure Data Factory, Office.com, etc but was unable to get into the Azure portal due to a 500571 error code.

azure login 2

  1. We have two Azure tenants: The user was created in primary Azure tenant - A and the same user was invited as a guest user using an invite to Azure tenant - B. User account status shows "Active" in both tenants.
  2. All these days Azure user was able to sign in to the primary Azure portal (Tenant - A) and was able to switch to another Azure portal (Tenant - B) without any issues.
  3. When the user signs-in Azure portal, Sign-in logs are created like this a) 1st log says sign-in was interrupted - this is common as it is asking the user to save the password (Single-factor authentication)
    b) 2nd log says the sign-in status was successful with Single-factor authentication
    c) 3rd log says the sign-in status was a failure with an MFA requirement, error code 500571, and 'the guest user account is disabled"
  4. Troubleshooting steps performed: User account sessions were revoked, removed the user from risky users, revoked all MFA sessions, and finally done with PWD reset. Still the same problem - the user is unable to get into the Azure portal.  
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,371 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sandeep G-MSFT 18,766 Reputation points Microsoft Employee
    2023-04-28T06:20:55.52+00:00

    @Chandra Prakash Matam

    Looks like guest account in Tenant B is disabled. I tried the same in my lab tenant and I am able to reproduce the issue.

    I disabled the account in Tenant B and pulled the guest user properties using PowerShell. I see as below,

    User's image

    I logged in to tenant A using user credentials and I am able to login. I tried to switch the directory and selected tenant B. I got below error as you had mentioned in your post.

    User's image

    I have re-enabled the account in tenant B using below command,

    Set-AzureADUser -ObjectId "xxxxx.onmicrosoft.com#EXT#@xxxxxxx.onmicrosoft.com" -AccountEnabled $true

    Now in PowerShell result I am able to see the account is enabled.

    I am able to access the tenant B directory using the user account.

    To fix this issue you can run above command and the issue will be resolved.

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Chandra Prakash Matam 21 Reputation points
    2023-05-03T01:10:37.42+00:00

    we understand after finding the fix is - when an account is disabled in one of your Azure directories, don't use it as your startup directory.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.