Self-Service Account Unlock

Yordan Yordanov 436 Reputation points

When using SSPR with the Unlock account option I noticed that the account unlocks in ADDS, however remains locked out in Azure AD until the defined lockout timer expires (5 minutes for the first time in the policy). Is this correct? Why not unlock it both on premises and in the cloud so that the user can continue with the sign in immediately?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,731 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 55,531 Reputation points

    Hi @Yordan Yordanov ,

    The "Unlock account without resetting the password" option under password reset blade is for On-premises accounts only. What this option does is it sets the value of badPwdCount attribute to 0.

    For instance, if you have account lockout threshold set to 5 in on-prem AD, the value of badPwdCount will increase with each invalid logon attempt and it cannot go beyond 5. At 6th invalid login attempt user will get "Your account is locked out" message.

    When the user unlocks the account using SSPR portal, the value of badPwdCount attribute is set to 0 in On-premise AD and user account is unlocked in on-prem AD. This setting doesn't change anything for the cloud user object. In fact, if you go to and login with cloud only user, you will not even get the "Unlock account without resetting the password" option. This is why this option is provided under Password reset > On-premises integration.


    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Manu Philip 14,551 Reputation points MVP

    Hello @Yordan Yordanov ,

    You may change the Minimum password age property in group policy to reset the password immediately in on-premises too.

    Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies within gpedit.msc.
    If you update the group policy, wait for the updated policy to replicate, or use the gpupdate /force command.

    In order for passwords to be changed immediately, password writeback must be set to 0. However, if users adhere to the on-premises policies, and the Minimum password age is set to a value greater than zero, password writeback will still work after the on-premises policies are evaluated.


    1 person found this answer helpful.