Self-Service Account Unlock

Yordan Yordanov 466 Reputation points
2020-05-23T14:20:49.017+00:00

When using SSPR with the Unlock account option I noticed that the account unlocks in ADDS, however remains locked out in Azure AD until the defined lockout timer expires (5 minutes for the first time in the policy). Is this correct? Why not unlock it both on premises and in the cloud so that the user can continue with the sign in immediately?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,605 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-05-23T16:44:53.863+00:00

    Hi @Yordan Yordanov ,

    The "Unlock account without resetting the password" option under password reset blade is for On-premises accounts only. What this option does is it sets the value of badPwdCount attribute to 0.

    For instance, if you have account lockout threshold set to 5 in on-prem AD, the value of badPwdCount will increase with each invalid logon attempt and it cannot go beyond 5. At 6th invalid login attempt user will get "Your account is locked out" message.

    When the user unlocks the account using SSPR portal, the value of badPwdCount attribute is set to 0 in On-premise AD and user account is unlocked in on-prem AD. This setting doesn't change anything for the cloud user object. In fact, if you go to https://aka.ms/sspr and login with cloud only user, you will not even get the "Unlock account without resetting the password" option. This is why this option is provided under Password reset > On-premises integration.

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manu Philip 16,986 Reputation points MVP
    2020-05-23T15:20:37.183+00:00

    Hello @Yordan Yordanov ,

    You may change the Minimum password age property in group policy to reset the password immediately in on-premises too.

    Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies within gpedit.msc.
    If you update the group policy, wait for the updated policy to replicate, or use the gpupdate /force command.

    In order for passwords to be changed immediately, password writeback must be set to 0. However, if users adhere to the on-premises policies, and the Minimum password age is set to a value greater than zero, password writeback will still work after the on-premises policies are evaluated.

    Thanks,
    Manu

    1 person found this answer helpful.