AADSTS50053 - Account Locked or Sign-In Blocked
Azure AADSTS50053 is a defensive security block. It indicates that a sign-in attempt was rejected because the account is temporarily locked (Smart Lockout) or the source IP address has been flagged for suspicious or malicious activity.
Last reviewed: April 5, 2026|Editorial standard: source-backed technical guidance
What Does Account Locked or Sign-In Blocked Mean?
AADSTS50053 is not a "wrong password" error. It is a "stop right there" signal. Entra ID triggers this when it determines that allowing further attempts poses a risk. This happens in two main flavors: IdsLocked (the user entered the wrong password too many times) or IP Risk (the request originates from a known-malicious network). It is a proactive defense mechanism intended to thwart brute-force and password-spray attacks.
Common Causes
- -Smart Lockout Triggered: Repeatedly entering incorrect credentials until the threshold is met.
- -Malicious IP Reputation: The request is coming from a VPN, Tor exit node, or shared IP flagged for bot activity.
- -Stale Credential "Ghost" Clients: An old mobile device or background script is continuously "poking" Entra with an expired password.
- -Password Spray Attack: An external actor is trying common passwords against multiple accounts, causing your specific account to lock as a precaution.
- -Shared NAT Noise: Large corporate offices sometimes share a single public IP that gains a bad reputation due to a single infected machine on the network.
How to Fix Account Locked or Sign-In Blocked
- 1Inspect the Failure Reason: In the Microsoft Entra Sign-in Logs, look for the "Failure reason" detail. Is it
IdsLockedor a risk-based block? You cannot fix it effectively without knowing which. - 2Identify the Culprit: If it is a lockout, find the device or app sending old credentials (check the "User Agent" in the logs).
- 3Wait it Out: Smart Lockout is temporary. The default is usually 60 seconds for the first lock, increasing with subsequent failures.
- 4Try a Trusted Network: If the block is IP-based, switch off the VPN or move to a known corporate network to see if the error persists.
- 5Self-Service Password Reset (SSPR): If the user actually forgot their password, a successful SSPR usually clears the lockout state.
Step-by-Step Diagnosis for Account Locked or Sign-In Blocked
- 1Search Microsoft Entra Sign-in logs for the specific Correlation ID or Timestamp of the failure.
- 2Check the "Authentication Details" tab to see exactly which password attempts led to the block.
- 3Review "Identity Protection" detections to see if the IP is flagged for "Anonymous IP address" or "Malicious IP address."
- 4Verify if the user is a "Noisy Neighbor". Is one person's constant failure locking out a whole shared service account?
Smart Lockout vs. Traditional AD Lockout
- -Smart Lockout: Designed to distinguish between the real user and a bot. It tracks "Good" vs. "Bad" login patterns to avoid locking out the actual owner while blocking the attacker.
- -Thresholds: By default, it locks after 10 failed attempts, but these are customizable in the Entra ID Authentication Methods settings.
Identifying Ghost Retry Loops
- -A common "Ghost" is the built-in iOS/Android mail app. After a password change, it may silently retry the old password in the background every 5 minutes until the account is permanently in a 50053 state.
Implementation Examples
# Use Microsoft Graph to check current password policy
mgc identity-conditional-access-settings gettry {
await authProvider.login();
} catch (error) {
if (error.errorCode === 'AADSTS50053') {
showNotification("Account is temporarily locked. Please wait 1 minute before trying again or contact IT.");
}
}How to Verify the Fix
- -Confirm the user can log in successfully from a private or incognito browser session on a trusted network.
- -Check that the failure reason in Sign-in logs has transitioned from
IdsLockedtoSuccess. - -Ensure all background service connectors (for example AD Connect or logic apps) are updated with the correct credentials.
How to Prevent Recurrence
- -Modern Authentication: Move away from Basic Auth to Modern Auth (OAuth2/OpenID Connect) to reduce stale credential issues.
- -Conditional Access: Use CA policies to require MFA or compliant devices, which bypasses many simple password-based risk blocks.
- -Smart Lockout Tuning: Review and adjust your tenant's lockout thresholds to balance security with user experience.
- -Pro tip: If you reset a user's password and they are still hitting 50053, it is almost always a background device or script that has not been updated. Find it and stop the process.
Decision Support
Compare Guide
429 Too Many Requests vs 503 Service Unavailable
Use 429 for caller-specific throttling and 503 for service-wide outages, so retry behavior, escalation paths, and incident ownership stay correct.
Compare Guide
500 Internal Server Error vs 502 Bad Gateway: Root Cause
Debug 500 vs 502 faster: use 500 for origin failures and 502 for invalid upstream responses at gateways, then route incidents to the right team.
Playbook
API Timeout Playbook (502 / 504 / DEADLINE_EXCEEDED)
Use this playbook to separate invalid upstream responses from upstream wait expiration and deadline exhaustion, and apply timeout budgets, safe retries, and circuit-breaker controls safely.
Playbook
Availability and Dependency Playbook (500 / 503 / ServiceUnavailable)
Use this playbook to separate origin-side 500 failures from temporary 503 dependency or capacity outages, then apply safe retry and escalation paths.
Official References
Provider Context
This guidance is specific to Azure services. Always validate implementation details against official provider documentation before deploying to production.