Microsoft Entra sign-in failed because the user account is disabled
The user account is disabled.
Microsoft Entra ID rejected the sign-in because the user object in the resource tenant has been disabled. A disabled account cannot authenticate regardless of correct credentials or MFA. The account must be re-enabled by an administrator before the user can sign in.
An administrator explicitly disabled the user account in the Microsoft Entra admin center or via PowerShell/Graph API.
The account was disabled automatically by a Microsoft Entra ID Protection risk policy because a high-risk sign-in or user risk was detected.
In a hybrid environment, the on-premises Active Directory account was disabled and the disabled state was synchronised to Entra ID via Microsoft Entra Connect (Azure AD Connect).
A lifecycle management workflow (e.g., Joiner-Mover-Leaver via Entra ID Governance) automatically disabled the account based on an HR or directory trigger such as a termination date.
The account is a guest or B2B user that was disabled in the resource tenant after a previous access review or administrative action.
An automated script or third-party identity governance tool disabled the account as part of a scheduled review or compliance action.
How to fix it
To re-enable the account manually: in the Microsoft Entra admin center, navigate to Users > All users, select the affected user, open their profile, and set Account enabled to Yes. Save the change.
Via PowerShell: `Update-MgUser -UserId '<UPN or ObjectId>' -AccountEnabled $true`
Via Azure CLI: `az ad user update --id '<UPN>' --account-enabled true`
If the account was disabled by an Identity Protection risk policy: investigate the risk event first (Protection > Identity Protection > Risky users), remediate the risk (e.g., confirm safe sign-in, require MFA re-registration, or reset the password), then re-enable the account.
If the account is disabled due to on-premises AD sync: re-enable the account in on-premises Active Directory (Active Directory Users and Computers > right-click user > Enable Account) and wait for the next sync cycle, or run `Start-ADSyncSyncCycle -PolicyType Delta` to force a sync.
If the account was disabled by a lifecycle workflow: review the Entra ID Governance Lifecycle Workflows to understand which workflow triggered the action, correct the HR or directory attribute that caused it, and re-enable the account after confirming the trigger is resolved.
Before re-enabling, confirm with the appropriate team (HR, security, IT management) that re-enabling the account is appropriate, especially if it was disabled for security or compliance reasons.
