When you see "Account is locked because user tried to sign in too many times with an incorrect user ID or password" (error code AADSTS50053), this is due to smart lockout protection. The lockout triggers after 10 failed attempts (or 3 for US Gov clouds).

The Fix

Wait first. Stop all sign-in attempts. The initial lockout lasts 60 seconds and increases with subsequent failures, up to about 30 minutes. Continuing to attempt sign-ins extends the lockout. Wait, then try the correct credentials from a new browser session.

Check Sign-In Logs

1. Go to the Microsoft Entra admin center (entra.microsoft.com)

2. Navigate to Monitoring & health > Sign-in logs

3. Filter by error code 50053

4. Review the failure reason—"IdsLocked" indicates a legitimate user, while a malicious IP/location suggests an attack.

If the logs show unfamiliar IPs or locations, smart lockout is likely blocking an attacker.

Dismiss Risk via PowerShell

Connect to Microsoft Graph PowerShell:

Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "User.ReadWrite.All","Directory.ReadWrite.All"

View locked users and recent errors:

Get-MgRiskyUser -All | Select-Object DisplayName, RiskLevel, RiskState
Get-MgAuditLogSignIn -Filter "errorCode eq 50053" -Top 50 | Select-Object UserPrincipalName, ErrorCode, FailureReason

Dismiss the risk to unblock the account:

$UserId = "user@domain.com" # Replace with user's UPN
New-MgIdentityRiskyUserDismiss -RiskyUserId $UserId -DismissedReason "confirmedLegit"

Force Password Reset

This clears the lockout state and sets a temporary password:

$UserId = "user@domain.com"
$PasswordProfile = @{
 Password = "TempP@ssw0rd123!" # Use a strong temporary password
 ForceChangePasswordNextSignIn = $true
}
Update-MgUser -UserId $UserId -PasswordProfile $PasswordProfile

Alternatively, in the Entra admin center: Identity > Users > [User] > Reset password.

Adjust Smart Lockout Settings

Requires Entra ID P1 or P2 licensing. In the Entra admin center:

1. Go to Protection > Authentication methods > Password protection

2. Click Edit under custom smart lockout

3. Increase the lockout threshold (default 10, max 50) or adjust the lockout duration (default 60s, max 18000s)

Smart lockout cannot be disabled, only tuned.

Verify

Attempt sign-in from a private browser window with the correct credentials. Check the sign-in logs again—successful logins show error code 0. If you dismissed the risk via PowerShell, run Get-MgRiskyUser to confirm the user's RiskState is no longer "atRisk".

Common mistakes: Do not continue sign-in attempts during a lockout, as this resets the timer. Check the IP address in logs to distinguish user error from attacks. Use Microsoft Graph PowerShell, not the deprecated Azure AD module (MSOL).