question

knopper avatar image
knopper asked ·

Self-Service Account Unlock

When using SSPR with the Unlock account option I noticed that the account unlocks in ADDS, however remains locked out in Azure AD until the defined lockout timer expires (5 minutes for the first time in the policy). Is this correct? Why not unlock it both on premises and in the cloud so that the user can continue with the sign in immediately?

azure-ad-sspr
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
amanpreetsingh-msft answered ·

Hi @knopper,

The "Unlock account without resetting the password" option under password reset blade is for On-premises accounts only. What this option does is it sets the value of badPwdCount attribute to 0.

For instance, if you have account lockout threshold set to 5 in on-prem AD, the value of badPwdCount will increase with each invalid logon attempt and it cannot go beyond 5. At 6th invalid login attempt user will get "Your account is locked out" message.

When the user unlocks the account using SSPR portal, the value of badPwdCount attribute is set to 0 in On-premise AD and user account is unlocked in on-prem AD. This setting doesn't change anything for the cloud user object. In fact, if you go to https://aka.ms/sspr and login with cloud only user, you will not even get the "Unlock account without resetting the password" option. This is why this option is provided under Password reset > On-premises integration.


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.



3 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft, thank you for this clarification. I expected a universal unlock because in this article Microsoft states:


Currently, an administrator can't unlock the users' cloud accounts if they have been locked out by the Smart Lockout capability. The administrator must wait for the lockout duration to expire. However, the user can unlock by using self-service password reset (SSPR) from a trusted device or location.


This seems to concern smart lockout, so it implies that the user unlocks the Azure AD account too.


0 Votes 0 · ·

@knopper Yes, they can unlock their accounts using SSPR portal but not by using "Unlock account without resetting the password" option. They have to reset their password which will unlock their account as well.

0 Votes 0 · ·
knopper avatar image knopper amanpreetsingh-msft ·

All right, this makes it clear now, thank you!

0 Votes 0 · ·
ManuPhilip avatar image
ManuPhilip answered ·

Hello @knopper,

You may change the Minimum password age property in group policy to reset the password immediately in on-premises too.

Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies within gpedit.msc.
If you update the group policy, wait for the updated policy to replicate, or use the gpupdate /force command.

In order for passwords to be changed immediately, password writeback must be set to 0. However, if users adhere to the on-premises policies, and the Minimum password age is set to a value greater than zero, password writeback will still work after the on-premises policies are evaluated.

Thanks,
Manu

3 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, thanks for the info, but I am talking about account unlock, not password change. The SSPR option for account Unlock unlocks the account on-premises, however it doesn't seem to unlock in Azure AD until the smart lockout timer expires. This option is useful and should be set, however when the user completes self-service unlock, the account should be available for immediate sign in.


0 Votes 0 · ·

Hi @knopper,

Please check the synchronization settings using the cmdlet: Get-ADSyncScheduler

This will show you the current sync delay. Also, try to reset the delay to the preferred value
Set-ADSyncScheduler -CustomizedSyncCycleInterval d.HH:mm:ss


Thanks,
Manu

0 Votes 0 · ·

It's 30 minutes and can't be less to the best of my knowleadge. :) But I'm not sure what role this plays in account unlock. The configuration uses Pass-Through Authentication.

0 Votes 0 · ·