What causes AADSTS120014?

The user's on-premises Active Directory account is locked out due to too many failed sign-in attempts. The on-premises AD account has been disabled by an administrator (e.g. offboarding or security action). Password writeback from Azure AD (Entra ID) to on-prem AD is enabled but the target account state blocks the write. Account Lockout Policy in on-prem AD (Group Policy) is triggering on stale credentials cached on a device or service. The user exists in Azure AD Connect sync scope but their on-prem AD object is in a disabled state in OU

How do I fix AADSTS120014?

Open Active Directory Users and Computers (or AD Administrative Center) on-premises and locate the affected user account. On the Account tab, check 'Unlock account' if locked, and ensure 'Account is disabled' is unchecked — apply changes. Verify Azure AD Connect is running and synced (Start-ADSyncSyncCycle -PolicyType Delta) so the unlocked/enabled state propagates to Entra ID. Check on-prem AD Account Lockout Policy and identify the source of bad password attempts (Event ID 4740 on the PDC) — often a cached credential on a phone, RDP session, or scheduled task. Have the user retry the password change at passwordreset.microsoftonline.com after sync completes (typically within 2 minutes)

Critical severityauthentication

Power BI Error:
AADSTS120014

What does this error mean?

Password change failed because the user's on-premises Active Directory account is locked out or disabled.

Common causes

1The user's on-premises Active Directory account is locked out due to too many failed sign-in attempts
2The on-premises AD account has been disabled by an administrator (e.g. offboarding or security action)
3Password writeback from Azure AD (Entra ID) to on-prem AD is enabled but the target account state blocks the write
4Account Lockout Policy in on-prem AD (Group Policy) is triggering on stale credentials cached on a device or service
5The user exists in Azure AD Connect sync scope but their on-prem AD object is in a disabled state in OU

How to fix it

1Open Active Directory Users and Computers (or AD Administrative Center) on-premises and locate the affected user account
2On the Account tab, check 'Unlock account' if locked, and ensure 'Account is disabled' is unchecked — apply changes
3Verify Azure AD Connect is running and synced (Start-ADSyncSyncCycle -PolicyType Delta) so the unlocked/enabled state propagates to Entra ID
4Check on-prem AD Account Lockout Policy and identify the source of bad password attempts (Event ID 4740 on the PDC) — often a cached credential on a phone, RDP session, or scheduled task
5Have the user retry the password change at passwordreset.microsoftonline.com after sync completes (typically within 2 minutes)

Frequently asked questions

What does AADSTS120014 mean?

PasswordChangeOnPremUserAccountLockedOutOrDisabled

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes