AZURE

AADSTS50053 - Account Locked or Sign-In Blocked

Azure AADSTS50053 is a defensive security block. It indicates that a sign-in attempt was rejected because the account is temporarily locked (Smart Lockout) or the source IP address has been flagged for suspicious or malicious activity.

Last reviewed: April 5, 2026|Source-backed guidance under our editorial policy

Start Here

Use the closest compare guide, playbook, or adjacent error page to narrow the decision faster before you start changing production systems.

This page is part of the Error Reference library. Learn more about the project or report a correction.

What Does Account Locked or Sign-In Blocked Mean?

AADSTS50053 is not a "wrong password" error. It is a "stop right there" signal. Entra ID triggers this when it determines that allowing further attempts poses a risk. This happens in two main flavors: IdsLocked (the user entered the wrong password too many times) or IP Risk (the request originates from a known-malicious network). It is a proactive defense mechanism intended to thwart brute-force and password-spray attacks.

Common Causes

-Smart Lockout Triggered: Repeatedly entering incorrect credentials until the threshold is met.
-Malicious IP Reputation: The request is coming from a VPN, Tor exit node, or shared IP flagged for bot activity.
-Stale Credential "Ghost" Clients: An old mobile device or background script is continuously "poking" Entra with an expired password.
-Password Spray Attack: An external actor is trying common passwords against multiple accounts, causing your specific account to lock as a precaution.
-Shared NAT Noise: Large corporate offices sometimes share a single public IP that gains a bad reputation due to a single infected machine on the network.

How to Fix Account Locked or Sign-In Blocked

1Inspect the Failure Reason: In the Microsoft Entra Sign-in Logs, look for the "Failure reason" detail. Is it IdsLocked or a risk-based block? You cannot fix it effectively without knowing which.
2Identify the Culprit: If it is a lockout, find the device or app sending old credentials (check the "User Agent" in the logs).
3Wait it Out: Smart Lockout is temporary. The default is usually 60 seconds for the first lock, increasing with subsequent failures.
4Try a Trusted Network: If the block is IP-based, switch off the VPN or move to a known corporate network to see if the error persists.
5Self-Service Password Reset (SSPR): If the user actually forgot their password, a successful SSPR usually clears the lockout state.

Step-by-Step Diagnosis for Account Locked or Sign-In Blocked

1Search Microsoft Entra Sign-in logs for the specific Correlation ID or Timestamp of the failure.
2Check the "Authentication Details" tab to see exactly which password attempts led to the block.
3Review "Identity Protection" detections to see if the IP is flagged for "Anonymous IP address" or "Malicious IP address."
4Verify if the user is a "Noisy Neighbor". Is one person's constant failure locking out a whole shared service account?

Smart Lockout vs. Traditional AD Lockout

-Smart Lockout: Designed to distinguish between the real user and a bot. It tracks "Good" vs. "Bad" login patterns to avoid locking out the actual owner while blocking the attacker.
-Thresholds: By default, it locks after 10 failed attempts, but these are customizable in the Entra ID Authentication Methods settings.

Identifying Ghost Retry Loops

-A common "Ghost" is the built-in iOS/Android mail app. After a password change, it may silently retry the old password in the background every 5 minutes until the account is permanently in a 50053 state.

Implementation Examples

Check Lockout Thresholds via CLIbash

# Use Microsoft Graph to check current password policy
mgc identity-conditional-access-settings get

Handling 50053 in Application Logicjavascript

try {
  await authProvider.login();
} catch (error) {
  if (error.errorCode === 'AADSTS50053') {
    showNotification("Account is temporarily locked. Please wait 1 minute before trying again or contact IT.");
  }
}

Seen in Production

The Vacation Password Trap

Frequency: high

Example: User changes password before vacation. An office PC stays on with a mapped network drive using the old password. Every 15 minutes it retries, keeping the account perpetually locked.

Fix: Use the sign-out-of-all-sessions feature in Entra ID and update the office PC credentials.

Debugging Tools

-Entra ID Sign-in Logs: The primary source for 50053 troubleshooting.
-Microsoft Identity Protection: To analyze IP-based risk signals.
-Fiddler / Network Trace: To see if a client is sending Basic Auth headers in the background.

How to Verify the Fix

-Confirm the user can log in successfully from a private or incognito browser session on a trusted network.
-Check that the failure reason in Sign-in logs has transitioned from IdsLocked to Success.
-Ensure all background service connectors (for example AD Connect or logic apps) are updated with the correct credentials.

How to Prevent Recurrence

-Modern Authentication: Move away from Basic Auth to Modern Auth (OAuth2/OpenID Connect) to reduce stale credential issues.
-Conditional Access: Use CA policies to require MFA or compliant devices, which bypasses many simple password-based risk blocks.
-Smart Lockout Tuning: Review and adjust your tenant's lockout thresholds to balance security with user experience.
-Pro tip: If you reset a user's password and they are still hitting 50053, it is almost always a background device or script that has not been updated. Find it and stop the process.

Official References

Provider Context

This guidance is specific to Azure services. Always validate implementation details against official provider documentation before deploying to production.

AZURE

AADSTS50053 - Account Locked or Sign-In Blocked

Last reviewed: April 5, 2026|Source-backed guidance under our editorial policy

Start Here

Use the closest compare guide, playbook, or adjacent error page to narrow the decision faster before you start changing production systems.

This page is part of the Error Reference library. Learn more about the project or report a correction.

What Does Account Locked or Sign-In Blocked Mean?

Common Causes

-Smart Lockout Triggered: Repeatedly entering incorrect credentials until the threshold is met.
-Malicious IP Reputation: The request is coming from a VPN, Tor exit node, or shared IP flagged for bot activity.
-Stale Credential "Ghost" Clients: An old mobile device or background script is continuously "poking" Entra with an expired password.
-Password Spray Attack: An external actor is trying common passwords against multiple accounts, causing your specific account to lock as a precaution.
-Shared NAT Noise: Large corporate offices sometimes share a single public IP that gains a bad reputation due to a single infected machine on the network.

How to Fix Account Locked or Sign-In Blocked

1Inspect the Failure Reason: In the Microsoft Entra Sign-in Logs, look for the "Failure reason" detail. Is it IdsLocked or a risk-based block? You cannot fix it effectively without knowing which.
2Identify the Culprit: If it is a lockout, find the device or app sending old credentials (check the "User Agent" in the logs).
3Wait it Out: Smart Lockout is temporary. The default is usually 60 seconds for the first lock, increasing with subsequent failures.
4Try a Trusted Network: If the block is IP-based, switch off the VPN or move to a known corporate network to see if the error persists.
5Self-Service Password Reset (SSPR): If the user actually forgot their password, a successful SSPR usually clears the lockout state.

Step-by-Step Diagnosis for Account Locked or Sign-In Blocked

1Search Microsoft Entra Sign-in logs for the specific Correlation ID or Timestamp of the failure.
2Check the "Authentication Details" tab to see exactly which password attempts led to the block.
3Review "Identity Protection" detections to see if the IP is flagged for "Anonymous IP address" or "Malicious IP address."
4Verify if the user is a "Noisy Neighbor". Is one person's constant failure locking out a whole shared service account?

Smart Lockout vs. Traditional AD Lockout

-Smart Lockout: Designed to distinguish between the real user and a bot. It tracks "Good" vs. "Bad" login patterns to avoid locking out the actual owner while blocking the attacker.
-Thresholds: By default, it locks after 10 failed attempts, but these are customizable in the Entra ID Authentication Methods settings.

Identifying Ghost Retry Loops

-A common "Ghost" is the built-in iOS/Android mail app. After a password change, it may silently retry the old password in the background every 5 minutes until the account is permanently in a 50053 state.

Implementation Examples

Check Lockout Thresholds via CLIbash

# Use Microsoft Graph to check current password policy
mgc identity-conditional-access-settings get

Handling 50053 in Application Logicjavascript

try {
  await authProvider.login();
} catch (error) {
  if (error.errorCode === 'AADSTS50053') {
    showNotification("Account is temporarily locked. Please wait 1 minute before trying again or contact IT.");
  }
}

Seen in Production

The Vacation Password Trap

Frequency: high

Example: User changes password before vacation. An office PC stays on with a mapped network drive using the old password. Every 15 minutes it retries, keeping the account perpetually locked.

Fix: Use the sign-out-of-all-sessions feature in Entra ID and update the office PC credentials.

Debugging Tools

-Entra ID Sign-in Logs: The primary source for 50053 troubleshooting.
-Microsoft Identity Protection: To analyze IP-based risk signals.
-Fiddler / Network Trace: To see if a client is sending Basic Auth headers in the background.

How to Verify the Fix

-Confirm the user can log in successfully from a private or incognito browser session on a trusted network.
-Check that the failure reason in Sign-in logs has transitioned from IdsLocked to Success.
-Ensure all background service connectors (for example AD Connect or logic apps) are updated with the correct credentials.

How to Prevent Recurrence

-Modern Authentication: Move away from Basic Auth to Modern Auth (OAuth2/OpenID Connect) to reduce stale credential issues.
-Conditional Access: Use CA policies to require MFA or compliant devices, which bypasses many simple password-based risk blocks.
-Smart Lockout Tuning: Review and adjust your tenant's lockout thresholds to balance security with user experience.
-Pro tip: If you reset a user's password and they are still hitting 50053, it is almost always a background device or script that has not been updated. Find it and stop the process.

Official References

Provider Context

This guidance is specific to Azure services. Always validate implementation details against official provider documentation before deploying to production.

Start Here

What Does Account Locked or Sign-In Blocked Mean?

Common Causes

How to Fix Account Locked or Sign-In Blocked

Step-by-Step Diagnosis for Account Locked or Sign-In Blocked

Smart Lockout vs. Traditional AD Lockout

Identifying Ghost Retry Loops

Implementation Examples

Seen in Production

The Vacation Password Trap

Debugging Tools

How to Verify the Fix

How to Prevent Recurrence

Related Errors

Official References

Provider Context

Start Here

What Does Account Locked or Sign-In Blocked Mean?

Common Causes

How to Fix Account Locked or Sign-In Blocked

Step-by-Step Diagnosis for Account Locked or Sign-In Blocked

Smart Lockout vs. Traditional AD Lockout

Identifying Ghost Retry Loops

Implementation Examples

Seen in Production

The Vacation Password Trap

Debugging Tools

How to Verify the Fix

How to Prevent Recurrence

Related Errors

Official References

Provider Context