question

LaxmiPrasanna-3771 avatar image
0 Votes"
LaxmiPrasanna-3771 asked ·

Do we have any apis to know the lock state of the user and to know whether the user is blocked?

In the azure portal we were able to block the sign in AD user. Do we also have any scenario where the user gets locked? If yes is there any api that we can hit to know whether the user is locked or blocked. It would be very helpful if we can get any information on this.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

@LaxmiPrasanna-3771
When we toggle Block sign in option to 'Yes', it basically changes the value of AccountEnabled attribute to False. You can check this via Graph API (https://developer.microsoft.com/en-us/graph/graph-explorer)

  1. Login to graph explorer with Global Admin account by clicking on "Sign in with Microsoft" button.

  2. Make a GET call > https://graph.microsoft.com/beta/users/USERNAME@YOUR_TENANT.onmicrosoft.com?$select=accountEnabled

  3. If you want to fetch this information about all users in your tenant, use > https://graph.microsoft.com/beta/users?$select=displayname,accountEnabled


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

that is very good question and i want use it in my site :namnak.com
please help me

0 Votes 0 ·

@amanpreetsingh-msft, thank you this was really helpful.

0 Votes 0 ·
soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@LaxmiPrasanna-3771, There is no account lockout concept in a complete Managed Domain scenario, i.e in case you have your all cloud users, then AAD, is the authority that handles your authentication. In this case, there is nothing called Account Lockout. If a cloud only user makes bad password attempts, the Smart Lockout feature engages and forbades the user from making further attempt to login. It governs the lockdown period based on its algorithm. You can read more on this here.

In case you have a hybrid scenario, where the authentication happens in your On-Prem Domain Controllers, then your On-Prem DCs are govern the bad password attempts being made by the user during authentication. The lockouts happen based on the Account Lockout Group Policies that are deployed in your domain and the lock and unlock status of the user can only be found in your On-Prem AD and not in AAD.

Hope this helps.


· 2 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@soumi-MSFT , is there any api to get the status of the Smart Lockout of the user??

0 Votes 0 ·

Can someone please help us on getting to know whether there is any api to get the smart lockout of the user?

0 Votes 0 ·