Do we have any apis to know the lock state of the user and to know whether the user is blocked?

Laxmi Prasanna 96 Reputation points

In the azure portal we were able to block the sign in AD user. Do we also have any scenario where the user gets locked? If yes is there any api that we can hit to know whether the user is locked or blocked. It would be very helpful if we can get any information on this.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,736 questions
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 55,541 Reputation points

    @Laxmi Prasanna
    When we toggle Block sign in option to 'Yes', it basically changes the value of AccountEnabled attribute to False. You can check this via Graph API (

    1. Login to graph explorer with Global Admin account by clicking on "Sign in with Microsoft" button.
    2. Make a GET call >$select=accountEnabled
    3. If you want to fetch this information about all users in your tenant, use >$select=displayname,accountEnabled


    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. soumi-MSFT 11,651 Reputation points Microsoft Employee

    @Laxmi Prasanna , There is no account lockout concept in a complete Managed Domain scenario, i.e in case you have your all cloud users, then AAD, is the authority that handles your authentication. In this case, there is nothing called Account Lockout. If a cloud only user makes bad password attempts, the Smart Lockout feature engages and forbades the user from making further attempt to login. It governs the lockdown period based on its algorithm. You can read more on this here.

    In case you have a hybrid scenario, where the authentication happens in your On-Prem Domain Controllers, then your On-Prem DCs are govern the bad password attempts being made by the user during authentication. The lockouts happen based on the Account Lockout Group Policies that are deployed in your domain and the lock and unlock status of the user can only be found in your On-Prem AD and not in AAD.

    Hope this helps.