Account Lockouts: Self-Service & IT Admin Procedures
This document explains how end users can unlock/reset their accounts and how IT admins can assist using Microsoft 365 Admin Center, Entra ID (Azure AD), and on-prem Active Directory.
1) Prerequisites & Design
- Enable Self-Service Password Reset (SSPR) in Entra ID for users.
- If you sync on-prem AD users, enable Azure AD Connect Password Writeback so SSPR updates on-prem passwords.
- Encourage users to register at least two authentication methods at mysignins.microsoft.com/security-info.
- Admins should use MFA and least-privilege roles.
2) End-User Self-Service (SSPR)
2.1 Online Portal (recommended)
- Go to passwordreset.microsoftonline.com.
- Enter your work/school email and verify via SMS, Email, or Authenticator.
- Set a new password that meets policy (length + uppercase + lowercase + number + symbol).
- Sign in at portal.office.com.
2.2 Windows Login Screen
- At the Windows sign-in screen, press Ctrl+Alt+Delete (or click Reset password if shown).
- Follow the prompts to verify identity and set a new password.
2.3 Change Password While Logged In
- Press Ctrl+Alt+Delete → Change a password.
- Enter current password, then a new compliant password.
Tip: Keep your security info updated at
mysignins.microsoft.com/security-info.
If you don’t see Reset password on the login screen, contact IT.
3) Enablement for IT (SSPR & Writeback)
3.1 Turn On SSPR (Entra ID)
- Azure Portal → Entra ID (Azure AD) → Password reset.
- Properties: Enable for Selected or All users.
- Choose required authentication methods (Phone, Email, Authenticator).
- Enable notifications for users and admins.
3.2 Password Writeback (on-prem AD)
- On Azure AD Connect server → Customize synchronization options.
- Under Optional Features, enable Password writeback.
- Verify Enabled in Entra ID → Password reset → On-premises integration.
Note: If Password Writeback is enabled, SSPR resets flow back to on-prem AD for synced users.
4) IT Admin Runbook
4.1 Microsoft 365 Admin Center
- Go to admin.microsoft.com → Users > Active users.
- Select the user → Reset password.
- Use Block/Unblock sign-in if required.
4.2 Entra ID
- Azure Portal → Entra ID → Users.
- Authentication methods → Require re-register or remove existing methods.
4.3 On-Prem AD (ADUC GUI)
- Open Active Directory Users and Computers.
- Right-click user → Reset Password or Unlock.
4.4 PowerShell Snippets
# Cloud (MSOnline)
Connect-MsolService
Set-MsolUserPassword -UserPrincipalName user@domain.com -NewPassword 'TempP@ssw0rd!' -ForceChangePassword $true
# On-prem Active Directory (RSAT)
Unlock-ADAccount -Identity "username"
Set-ADAccountPassword -Identity "username" -Reset -NewPassword (ConvertTo-SecureString "NewP@ssw0rd1" -AsPlainText -Force)
Set-ADUser -Identity "username" -ChangePasswordAtLogon $true
5) Testing Checklist
- Verify registration at mysignins.microsoft.com/security-info.
- Confirm reset works at passwordreset.microsoftonline.com.
- Ensure synced user SSPR writes back to on-prem AD.
- Check logs in Entra sign-in & audit logs.
6) Troubleshooting
- No “Reset password” link: SSPR not enabled or policy disabled.
- SSPR fails for synced users: Check AAD Connect and Password Writeback status.
- SMS not received: Verify mobile on file or use Authenticator backup.
- Still locked: Admin unlock via ADUC or PowerShell.