How to sync user lockout between local ad and azure ad

Question

I am using AD Azure Connect to sync user domains from local AD to Azure AD for the purpose of enabling MFA for system login. The local AD has a password policy that locks the user if the password is entered incorrectly more than 5 times. However, I found that the user lockout behavior between local AD and Azure AD is not synchronized as follows:

I have set up user lockout policies on both local AD and Azure AD. If a user enters the wrong password more than 5 times through a web app that authenticates to Azure AD, the user on Azure gets locked, but the local AD user remains active. This allows the user to continue using apps that authenticate to local AD. My expectation is that the user should be locked out on both local AD and Azure AD.

Based on the above information, is it possible to synchronize user lockout between local AD and Azure AD? If so, please recommend the steps and limitations.

Thank you in advance.

Answer 1

In short - no. Account lockout is not synchronized from AD to Entra ID.

If you want AD account lockout to take effect, implement pass-through authentication, rather than authentication via password hash sync

More at https://learn.microsoft.com/en-us/answers/questions/1702803/user-account-locked-in-ad-on-premise-but-not-locke

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin